U.S. Government Issues Report on VoIP Security Holes

ranson writes "PC World is reporting on VoIP technology's threat of being manipulated by hackers, through call interception and DoS attacks on users' internet connections. While these threats are nothing new, the article cites an interesting government report on the topic, as well as its author, who believes a VoIP user's best protection is security by obscurity."

VOIP calls aren't encrypted?

[Motherfucking+Shit]

From the article:

Intercepting Internet traffic is not new. Neither is DoS. But unlike more secure Internet transactions such as your Web connection for online banking, VoIP calls are not encrypted. That makes them susceptible to tapping.

This amazes me, I can't believe that the calls are floating around in raw audio. Would a little encryption add so much overhead that it would bog down the system? Or is this due to CALEA or other laws?

Re:VOIP calls aren't encrypted?

[Spetiam]

Skype says its calls are encrypted.

The calls... are highly secure with end-to-end encryption.

Whether their scheme is snake oil or for real, I don't know, as I can't find any documentation on it, much less source code.

Re:VOIP calls aren't encrypted?

[Bananatree3]

According to Skype's FAQ, all of their VoIP calls are encrypted:

Calls between Skype software users (PC-to-PC calls) are secure and encrypted. Calls to standard telephone or mobile numbers are encrypted until they reach public switched telephone network. Note that in a conference call where one participant is a PSTN (regular telephone or mobile phone) number/phone number, the padlock icon will not appear indicating that the call is not encrypted.

Re:VOIP calls aren't encrypted?

[MikeSingee]

That is a very good point, also we may want to consider the implications for the patriot act. Would this fall under the internet guidelines, or the phone guidelines, or neither?

Re:VOIP calls aren't encrypted?

The fact that you know what calea is, says that you already know more than you are letting on. Yes, the average /.er knows about the patriot act, but few know about calea.

But for the record, calea has nothing to do with VOIP/SIP being encrypted or not. It was more about keeping it simple. Then you are free to add encryption at a lower layer. Much easier to add encryption just prior to the net.

Re:VOIP calls aren't encrypted?

[IWannaBeAnAC]

If there is no documentation, then it is almost certainly snake oil.

Anyway, it is hard to imagine the FBI allowing ordinary consumers to have encryption they cannot break on their telephone calls. Moderately easy to break, but obscure, encryption is exactly what they would be looking for. 99% of criminals will be too dumb to break it, and the other 1% are needed to justify the homeland security budget.

Re:VOIP calls aren't encrypted?

[cduffy]

There are standards for running encryption on top of SIP (see SRTP), but almost nobody implements them. Much more common is to avoid running SIP on the open Internet -- my company uses SIP for VoIP, but we only run it within a closed LAN or tunneled through OpenVPN.

Re:VOIP calls aren't encrypted?

[CodeBuster]

The Rijndael algorithm, with is now the federal advanced encryption standard (AES), is a fast symmetric block cipher which is both public domain and spreading quickly in use. It would not be difficult for the phones to use a public key scheme such as RSA to exchange a session key for Rijndael. The FBI doesn't waste their time intercepting your network traffic and cracking the encryption by brute force computation. They simply bug the keyboard or the room and recover your key. Why waste time picking a complicated lock when you can easily steal the key?

Re:VOIP calls aren't encrypted?

[Talennor]

CALEA says:

"ENCRYPTION- A telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."

Which in my first glance at this means that VoIP can be encrypted, though if the carrier handles too much of the private key generation, which would be necessary for any non-technical user, the carrier must keep the key for law enforcement use. (I'm thinking that a standalone VoIP phone would need a factory generated key on EEPROM, though software VoIP could use your average PC to generate a key itself.) But then again I'm not even sure if this applies to VoIP since this isn't exactly a service I'm currently familiar with. I'll note though that this is the only place "encryption" came up in a search of the law itself, so there's not much more to look at than the above quote. However, what the FBI and FCC have done in regulations may be a totally different matter. Can anyone clear this up more or is it just a regulatory mess?

Re:VOIP calls aren't encrypted?

[MavEtJu]

Easy to find out, capture the payload, push it through an iLBC channel and listen if there is any recognizable sound.

Re:VOIP calls aren't encrypted?

Any system which hides key management completely is snake oil, to a certain extent. Encryption without authentication is useless, and the best authentication you can get with completely hidden key management is that an attacker has to be in the middle from the start and all the time to be undetectable. Better than nothing, but not really secure either. The achievable level is about the same as an SSH account where you never check if the server fingerprint is OK.

Re:VOIP calls aren't encrypted?

[frakir]

And how is 'bugging the keyboard or the room' going to find about my RSA key? I don't type it; I don't even know it. Same goes for Diffie-Hellman key exchange. Bugging the room don't cut it.

Re:VOIP calls aren't encrypted?

[CodeBuster]

They bug the room for audio conversations that you have when you use your IP phone. You do speak when you have a phone conversation don't you? Perhaps you are deaf and use the keyboard or teletype terminal instead. In either case a bug of the appropriate type can be used to either eavesdrop on the audio conversation or intercept the keystrokes. The point was that physical access to your hardware, which the FBI can almost certainly arrange, trumps transmission security arrangements such as encryption.

Re:VOIP calls aren't encrypted?

One of the problems with encrypting VoIP calls is the limited amount of time available for implementing security measures. With the maximum delay permited for voice being aroung 150ms (statistically calculated), the time availabale for encryption and other security mechanismes is around 20ms to 50ms maximum.
Standards exist in H.323 protocol for assuring confidentiality of the calls, but implementing this in an efficient way is not easy and you would imagine that VoIP operators will be more concerned with the cality of their calls than with user privacy.

Re:VOIP calls aren't encrypted?

[sd_spot]

Ain't this grand?

6-8 weeks ago I exchanged email with Vonage on this very subject. What security protocols do they follow for protecting signaling/bearer traffic? big black hole getting meaningful information - but was _assured_ they used 256 bit encryption with a xx bit nonce. Now I read a Vonage representative is asserting they do not perform encryption? Somebody was not telling the truth.

Regarding CALEA: when you make a phone call (UMTS,GSM,VoIP- doesn't matter), your connection is routed via a switch. Between your phone and the switch is where encryption, if used, is applied. Once your traffic reaches the switch edge, it is decrypted. Afer it is decrypted and in the switch is where CALEA gets it's hands on it. The traffic is then (depending on the destination leg), encrypted using that leg's session key.

As for why Vonage (and except for Skype - maybe others) are not following basic principles for information assurance? I'd say cost. Nobody is screaming for it and they aren't losing sales. Maybe that will change. I really don't think the processing burden could be so great - look at GSM and UMTS. Both are spec'd to do originating/terminating leg encryption.

What I find the most irritating about all this is the canard about a guy with alligator clips tapping my line. Other than breaking into a phone company box - the only place to tap that line (except lawfully in the switch) is at the edge of my house (something I would not react favorably to). But, tapping a VoIP session on a cable-modem local loop (say, by my neighbor) is far less obvious. Maybe more difficult - but more covert. Would it be so difficult to build a protocol analyzer that looks for 1-800 #'s corresponding to phone-order sales and only record those calls?

I'm glad to seee this getting attention. I will admit, if it wasn't for security concerns, I'd have left my POTS by now.

sd_spot

Re:VOIP calls aren't encrypted?

Yep options are pretty poor out there best solution atm is vpn or similar to ur voip provider - which u will likely have to pay for.

Re:VOIP calls aren't encrypted?

Apparently these people have not heard of this widely used encryption protocol better known as SSLv2.

Re:VOIP calls aren't encrypted?

Would it be impossible to call a POTS phone from a VoIP client if the audio was encrypted?
It would only be encrypted over the IP part of the network, much like GSM is encrypted only between base station and the GSM phone.

Re:VOIP calls aren't encrypted?

[__aahlyu4518]

"Anyway, it is hard to imagine the FBI allowing ordinary consumers to have encryption they cannot break on their telephone calls"

Maybe I can tell you a little secret? WORLD does not equal USA. And VOIP is not a US-only thing.

So FBI can scream all they want. We can still have encryption in the FREE world.

Re:VOIP calls aren't encrypted?

[IWannaBeAnAC]

Of course. But this story is about a US Government report, and they are within their rights to impose whatever regulations they like on what consumers can use for electronic communication.

As for citizens of other countries, they are subject to various degrees of US influence....

Re:VOIP calls aren't encrypted?

[computational+super]

Would a little encryption add so much overhead that it would bog down the system?

I can't imagine why it would. All you need to do is add a little "lock" icon in the lower right-hand corner of the screen. That's - what? 100 pixels of overhead? Practically nothing.

Re:VOIP calls aren't encrypted?

[Da_Biz]

Uh, what are you talking about? There are other codecs other than iLBC (a-law, u-law, TrueVoice, CELP, etc.). The GrandStream Budgetone-100 phones, for instance, default to a/u-law.

There is more difficulty than you assume in the process intercepting RTP/RTSP traffic and playing back the audio data.

Re:VOIP calls aren't encrypted?

[__aahlyu4518]

True... I've been working to hard to RTFA :-)

sorry :-)

Re:VOIP calls aren't encrypted?

[sd_spot]

I've scanned over the replies, and haven't seen this mentioned.

Don't assume that the difficult part of the "encryption" requires the plaintext. All you really need (and this is what GSM/UMTS does) is a way to "agree" on a psuedo-random number sequence. You can pre-generate that sequence (within certain constraints) and apply it by an xor to the plaintext. The receiving end does the same.

How do you agree on a psuedo random sequence? You run AES (or any block cipher) in one of its feedback/chaining modes. All you have to agree on then is the IV. Each frame sent from your phone is numbered in some manner. That number helps for packet ordering (I am not necessarily talking about IP header numbering) and also helps the receiver determine what pre-generated sequence to apply. In UMTS/GSM, that "number" is the count parameter and is part of the IV fed into the Rijandal (I doubt that is spelled correctly, sorry).

A pure voice call over POTS requires 64kbps (8bit PCM samples at 8khz sampling rate). A cell phone call requires around 12-15kbps to achieve reasonable voice clarity. The difference is achieved by a codec that takes the analog voice and encodes it into a fixed length vocoder frame. That fixed frame length allows me to pre-generate just enough pseudo random bits to apply "encryption". Note that each frame represents 20 (or so) ms of "speech". Loss of a single frame isn't going to kill you. I do not know the VoIP codec rate. They may even send a PCM stream to/from the VoIP "server".

sd_spot

Re:VOIP calls aren't encrypted?

[cduffy]

What security protocols do they follow for protecting signaling/bearer traffic? big black hole getting meaningful information - but was _assured_ they used 256 bit encryption with a xx bit nonce.

Perhaps they were discussing digest authentication used for signaling? (It's not strong by any means -- requests can be read and modified in flight even though the password is protected from interception; it's literally the exact same mechanism used for HTTP Digest authentication).

Discussed on the Vonage VoIP Forum

[kamikaze-Tech]

This has been discussed at great lengths on the Vonage VoIP Forum here: http://www.vonage-forum.com/ftopic5604.html and also here: http://www.vonage-forum.com/ftopic3422.html

99 Pages, and a bitch aint one

[MikeSingee]

Chances of slashdoters reading that 99 page government report are about the same as VoIP being secure.

Re:99 Pages, and a bitch aint one

[Tobias.Davis]

And the chances of a slashdotter reading TFA are smaller than the chances of thermonuclear warfare

Goat

Sunrocket is in trouble?

[guyfromindia]

Dang! Looks like its time to get rid of my SunRocket account! Anyone know how secure are those vOIP boxes? For e.g. I can log on to my friend's box with the default password 'welcome' (only for SunRocket).

Obscurity

Great, a post where I don't RTFA before I post, I'd stay anonymous for that reason alone.

Anyway, I would think that obscurity is almost always the best security.

Re:Obscurity

[WindBourne]

And in spite of your obscurity,

• /. knows your IP.
• the spyware that is running on your Windows box your e-mail, your SSN, your passwords etc.
• the US gov. knows who you are, where you live, what you talked about with whoever, what you view on which site, that [bg]f that you talked to while your wife slept upstairs, etc.
  • 
    Funny thing is, It does not matter if you live in the states or not.

    Ignorance is soooooo bliss.

Re:Obscurity

[unixfan]

In the security field, obscurity is not at all considered secure.

Re:Obscurity

[liam_p]

I think the obligatory quote is from Auguste Kerckhoff's laws in 'La cryptographie militaire' - 'It must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience'.

Security through obscurity indeed!

stop the presses!

[to_kallon]

"As VoIP is rolled out en masse, we're going to see an increased number of subscribers and also an increased number of attackers," says David Endler, chairman of the VoIP Security Alliance

it's easy to see he's an expert. i mean, who else could come up with such an idea? the very premise of it is far-fetched to the point of hillarity. to think that as a product becomes more widely used it is targeted by a larger population...craziness.

It's all about standards

Latency issues and the lack of a formal standard for encrypting it is the issue at hand

We could do the encryption on hardware, but it's too computationly costly and without a formal standard, how do you guarantee your phone talks to another?

Damned if you do, damned if you don't

[wcitech]

I can find a little bit of humor in the situation... If the government finds that a communications system is insecure, they make reports complaining about it (motivating engineers to secure it). If the government finds that a communications system is too secure, they go to court so they can tap into it. (remember the voip wire-tapping ordeal?)

Re:Damned if you do, damned if you don't

[hoka]

I don't particularly see what is so humorous. The government is consistently acting in its own best interest - it wants people to be secure enough to feel safe and not have issues that can be escalated to the government - but it also doesn't want people to be so secure that it can't break them if it is a matter of national security. Would you want Ossama Bin Laden calling you on the phone over the Internet going "Whaazzzup?" without the Government knowing? Corporate/Government Security and consumer privacy don't really tend to mix well either way. Personally I don't think any available communication mechanism is really secure - VoIP has too many vulnerabilities due to the fact that t can be packet-switched routed over the network - and current circuit-switched phone systems are vulnerable to severe social engineering attacks. I witnessed someone socially engineer his way through some phone service, use that to make a free phone call to some country in Latin America, use that contact to gain necessary information relevant to the continuation of social engineering, and then got stopped by the owner of the phone moments before the person confirmed the activation of every feature you can think of for free. Tapping into networks and enumerating other information is a very easy task, and the best way of dealing with these communication mechanisms is to not rely on them, nor to assume that they are or can be secure. Without that expectation you are less prone to be "surprised" by attacks.

Re:Damned if you do, damned if you don't

[WindBourne]

The real question is, was it too secure? Or was it FUD designed to encourage bozos to move on over to an easier to crack system? VOIP is actually easier to work with as the processing of empty info has already been cleared out. So what remains is actually useful data and uses much less cycles in tool that is designed to search and modify the packets.

VOIP nope not for me

[Grand+Facade]

I'm not giving up my copper! No way! It is protected by law. And it is more insecure than most any other form of communication. But has a high degree of reliablity. So I'm sticking to it.

Big buisness is who wants VOIP cause they want to get rid of the expensive telcom infrastructure and gain a higher degree of control.

Re:VOIP nope not for me

[IANAAC]

I'm not giving up my copper! No way! It is protected by law.

Give it time. VoIP will become every bit as protected. There's already too much money flowing in the biz to let it go by the wayside now.

What I think WILL happen is a mass consolidation of most of the current small VoIP companies. Then, of course, prices will rise.

Re:VOIP nope not for me

[Lumpy]

feel free to keep your copper.

I have switched to VoIP and have 1 copper line incoming for only failover during power outages.

VoIP, at least from a decent provider can be awesome as soon as you plop an Asterisk box in front of it. ( the crappy providers will not let you use Asterisk so be sure to ask before you buy)

This gives me services that no phone company on the planet can offer. my phones do not ring after 10pm unless the callerID matches a number in the important list. telemarketers never get through even the ones that are being legal and not blocking. they all get routed to a special message that start's with the three tone disconnected sound, then a special 'hello........ hello ..... I'm sorry we do not accept telemarketing calls....bla bla bla..."

This works unbelieveably great. I get a predictable phone bill that is less than 20 bucks a month with all the long distance I want to call I am not being extorted for caller-id touchtone dialing or other "features" that certianly should be included. and reliability has been excellent. My provider (Broadvoice) allows 4 channels running from the same gear so if I'm taking to Grandma in California my daughter can be talking to her friends here in a conference call and we can still get an incoming call.

all for less than the absolute lowest service plan that charges me $0.06 every time I pick up the phone line on the copper.

I am so enamored with VoIP that I will be buying a second line from my provider soon.

the problem is that the story talks about things that will remove the ability for me to use Asterisk as my Voip gear.

and that will be a major step backwards.

Re:VOIP nope not for me

[IANAAC]

VoIP, at least from a decent provider can be awesome as soon as you plop an Asterisk box in front of it. ( the crappy providers will not let you use Asterisk so be sure to ask before you buy)

My provider - Broadvoice - definitely allows you to use an asterisk system, or any other, for that matter, under their BYOD plans. They provide pretty detailed instructions to get you up and running, too. The fact that they don't hide their setup information was the main reason I went with them.

Re:VOIP nope not for me

read the parent. that is WHO he mentions is a worthwhile provider.

vonnage is NOT a worthwhile provider and I warn people away from them and Packet8 every chance i get

Re:VOIP nope not for me

[CharlieHedlin]

I use Broadvoice too, but their reliability sucks. Please let me know if you have experienced otherwise.

I want them to get their act together, because noone else comes close on price/features when combined with Asterisk.

Re:VOIP nope not for me

[bradleyland]

POTS communication can be intercepted with a $100 butt-set and very little skill. How is that more secure?

Re:VOIP nope not for me

[timeOday]

What I think WILL happen is a mass consolidation of most of the current small VoIP companies.

Are you so sure? VOIP companies are not like traditional phone or cable companies, because they don't own the infrastructure. VOIP providers don't dig up roads to bury cable or have an army of technicians in every city. Since there is no big capital investment, what is to stop competition?

Re:VOIP nope not for me

[IANAAC]

Are you so sure?

It's an opinion, but I really do think it'll happen.

Remember when there was a real choice or ISPs, other than the Bells and Cable? I'm talking regional ISPs. I started on a small, county-wide ISP that went through three purchases before it became part of Covad'soperations.

Right now I see the VoIP industry in the same place. You get a fairly large choice as far as who your provider can be, but, as things start to get more regulated, the bottom line's only going to get tighter for these companies, and they'll need to join forces to survive. Remember, also, that a large number of these VoIP companies are privately held, also affecting the bottom line.

It'll be interesting to see where VoIP is in 5 years.

Re:VOIP nope not for me

[jedaustin]

Ditto on reliablity.. Down now for day two..

Re:VOIP nope not for me

Ive had zero problems with reliability. past 3 months 100% uptime except for the short stint with Comcast chainging their DNS servers to something managed by a bunch of MCSE's instead of It professionals that know what they are doing.

when my cable connection is reliable broadvoice is reliable. the key is to go through their servers and use the one that gives you the best ping times and not use what they reccomend.

also, the biggest thing I think that sucks is 2+ hour minimum wait on tech support phone calls. and dont even try to email tech support if you want an answer within the next 90-120 days.

woulda been nice to know it was PDF ...

[2TecTom]

... sigh, here we go again.

Imagine this, you're far, far away in some distant, lost, Internet cafe. You are deeply in the backwoods of the third world. Your cellular 911, for some reason, isn't working. You see a /. story, with a link to an applicable article. You've just desperately clicked the link to the aforementioned article. Five minutes later, you begin to wonder three different and distinct things.

1) Is the system locked up?
2) How much is this going to cost now?
3) Is that MODEM actually starting to smoke?

IMHO, PDFs or links, especially unlabelled ones, are less than professional. Please, just say no.

Re:woulda been nice to know it was PDF ...

I guess the severity of this problem depends on the browser you're using. In FireFox and IE, hovering your mouse over the link changes the status bar to the target URL... Glance down and you'll know it's a PDF, takes half a second.

--
Rate Naked People at FuckMeter.

Re:woulda been nice to know it was PDF ...

[timboc007]

I would highly recommend Firefox plugin/extension TargetAlert. This extension places a small icon next to links to indicate the type of link it is, including a small PDF icon for PDF files, a Word icon for Word files etc.

I knew it was a PDF link :-)

Re:woulda been nice to know it was PDF ...

[calyptos]

PDFs load very nicely for me on my new Macintosh with "Preview". It opens just as if it were a picture, and just as fast. I wouldn't blame the author of the article for a bad PDF application.

Re:woulda been nice to know it was PDF ...

[corpsiclex]

...Because when I'm lost in the backwoods of the third world and 911 doesn't seem to work, my next move is always to check slashdot for a relevant article.

Re:woulda been nice to know it was PDF ...

[Soulfarmer]

I always check the statusbar/etc. to see where a link goes before I click on it. Usually it is clear enough. And usually, at the sites I trust, it is not faked url even.

Might be helpful to you too. :)

Re:woulda been nice to know it was PDF ...

[batura]

God, that mouseover effort on the link is such a bitch.

Re:woulda been nice to know it was PDF ...

Yo, noob, most browsers show you the URL when you mouse over the link. It's not too hard to see that a URL ending in .pdf is (shock) a PDF.

It's the cry-baby, techno-illiterates like you that make me realize that virus writers have a noble role in internet society. Kind of a Darwinian / evolution / survival of the fittest enforcement role.

Do the rest of us a favor -- cancel your AOL account and mail your computer back to Gateway, m'kay Bambi?

Gun in a field

[deathcloset]

Security through obscurity is one of those strange concepts.

Imagine every person in the world standing in a gigantic field. In the direct center of everyone is a rifle pointed at the sky.

When the rifle fires, the bullet will go up and then come down and hit some poor sap. But if one were standing in that crowd one could virtually count one's self out as being crowned that sap.

Virtually, but not completely.

That's the problem with security by obscurity. Sure it lowers the chances of being hit. But it's not really security at all.

Is it?

Re:Gun in a field

[IWannaBeAnAC]

I dunno... it is the basic survival tactic used by all herd animals, and it works for them.

Re:Gun in a field

[CA_Jim]

Your analogy is not quite right. The only way you would be hit is being in the spot where the bullet lands. It doesn't depend upon how may people are playing, one, two or billions. If you're not in the right (wrong) spot, you will not be hit.

Of course, the more people who stand on the field, the more likely that SOMEONE will be hit increases.

Re:Gun in a field

[MoralHazard]

This is a great explanation, and ought to be modded up. I guess you would call it a kind of collective action problem.

Each individual looks at the situation and determines that their own costs are very, very low--while getting hacked/shot is annoying, the odds of it happening a pretty outside. Taking the "cost" as being the actual cost of an incident times the likelihood of an incident, and you get a pretty low number.

But considering the same question from a group point-of-view, it's not a question of weighted risks, so much--we know that SOMEone in the group will get hit/hacked, probably several if we're talking about hacking. So you determine the total societal "cost" as the cost per incident times the number of incidents that will likely occur.

It's not really possible to rationally do risk-assessment in the first situation, because the minute individual cost to me is so low that it's basically noise. But at a group level, it IS possible to weigh the total cost of our collective behavior against alternatives.

I'm not saying that increasing security measures will always be a good idea, here, though--the cost of additional security might be greater than the losses of the status quo, in which case it would make more sense to leave things alone. But at least you can make an informed decision.

I'm also not taking a socialist, collectivist tack, here. There's a lot of room for market-based solutions that use this kind of thinking: Symantec sees millions of individual malware sufferers and provides a product that helps decrease the damage--they market and advertise and push the product to customers like us, adjusting our behavior to something better.

Re:Gun in a field

That's not true. Security through obscurity is security as well. To continue with that metaphor, say the rifle isn't pointed at the sky but is actually being aimed at you. Now turn off the lights. Suddenly the attacker can't find you to shoot at you, so he or she shoots randomly.

The problem here is twofold: first off, if a lucky shot goes off you've got nothing. A good bullet-resistant vest would have gone a long way here, though the security-through-obscurity is better than nothing. The second is the big one: as soon as someone turns a flashlight on you, you're not going to get back into the dark again anytime soon.

In summary: security through obscurity makes you more secure, but in a very temporary fashion.

Re:Gun in a field

A better analogy is to imagine there are millions milling in a field and a rifleman off on a hill a ways away. He shoots into the field and will surely hit someone, but the chances that it's you are very, very low. If you're the only one in the field though, you've got a big target on your head.

Re:Gun in a field

[Creepy+Crawler]

Ok, we have "security by obscurity".

Erm, isnt our current knowledge of encryption technology based much on secret numbers? Well, it is 1 in 2^128 or 2^256 or some huge number, but is this teh similar analogy you use?

Well, first off security CAN be improved, but it uses the same techniques I use for software protections.

There should be no meta-data telling what encrypted the data, what encryption schemes, or whatever to even start off. You should consider these to be the first 'shared secrets'. This has a side benefit as when a 3'rd party attempts to decrypt it, it just gives garbage in which SOMETHING has to interpet. It should not be as simple as "GPG v3.2 Diffie-Helman 4096 bit key" does not match .

Next off, all decrption attempts should go through. What would you rather do: scan the encrypted files for headers in which to try dictionaries OR be forced to try all types of encryption to try to guess which one does what (if you can).

The next, for network security, is 'knock knock' scripts. Whats safer: login/passwd prompt on ssh OR 10 timed packets aimed at different ports (that change on time of day) that then proceeds to open ssh until disconnect?

I know what I'd choose if it was my security depended on hiding, firewalling THEN login/passwords.

The whole point is OBFUSCATION is a valid security mechanism, not that is the end-all be-all or anything, but it does have its places.

Re:Gun in a field

But.. if you're the only one in the field, doesn't that just increase the chance that the bullet will hit nothing?

Re:Gun in a field

[WindBourne]

Only for the species as a whole. Whole herd do get wiped and most certainly individuals get nuked all the time.

Re:Gun in a field

[mibus]

It depends.

If the hunter is a "good guy", his bullets will be true and strike you with deadly justice and accuracy.

If the hunter is a "bad guy", he'd just as likely miss the whole herd...

Re:Gun in a field

[DingerX]

Dunno; I think a better analogy is the old yarn about two hunters -- an older man and a younger one -- in the woods. They spot bear tracks, and the young guy says to the old one:
What happens if a bear attacks us?
The old guy responds, "We run".
The kid says, "but there's no way you can outrun a charging bear."
The old man stops, turns to the kid and says, "I don't have to outrun a charging bear; I only have to outrun you."
So it's not just a matter of standing in a field catching bullets; it's also a matter of what sort of profile you maintain. VoIP interception, it seems, would follow a path similar to email interception as opposed to that used for hacking the boxes themselves.
While practically every port on the net is being scanned by malicious users looking for security holes, a much smaller percentage of (still largely unencrypted) email is being scanned. And, right now, the biggest problem with email is spam and worms; bots harvest email addresses from the internet and now from other peoples' machines and generate tons and tons of garbage.
For email, "security by obscurity" works. How many of us have "high-profile" and "low-profile" email accounts, and how much garbage arrives at each?

For an individual VoIP user, the chances of malicious crap happening are pretty small. For a company or government agency, VoIP could be a nightmare: consider what would happen if a competitor or DDoS extortionist were to launch an attack that took down the primary means of corporate communications.

"Security by obscurity" doesn't stop a determined attacker; most of the attackers out there, however, are content with the slowest runner in the bunch.

Re:Gun in a field

[Q+Who]

When the rifle fires, the bullet will go up and then come down and hit some poor sap.

I always wondered where did this notion of bullet fired up, coming back and killing someone come from.

You realize that falling bullet will come to constant speed relatively fast due to air resistance, right? Right?

Re:Gun in a field

[corblix]

Security through obscurity is one of those strange concepts .... That's the problem with security by obscurity. Sure it lowers the chances of being hit. But it's not really security at all. Is it?

Security rarely (never?) means 100% secure against all possible attacks. Rather, we consider what attackers are likely to do, what they are motivated to do, what they are capable of doing.

If someone out there decides I, personally, need to die, and they are motivated and capable of putting serious effort into achieving their goal, then I am dead. I live my life based on the idea that this is not going to happen. (Some people don't, e.g., the President of the U.S., and they need much better security than I do.)

Instead, I consider probabilities. No one is going to try to kill me just because I am me, but they might decide to kill someone and grab their money, or break into someone's house, etc. How can I reduce the probability of this happening to me?

One way is to make myself just a bit harder to attack than the next guy. Good door locks are in this category. Anyone who really wants to can get into my house, but they have to really want to.

Another way is to bury myself in a crowd: security by obscurity.

So: Yes, S.B.O. is security. No, it does not do anything to deal with deliberate attacks against me. But it does reduce the chances of being chosen to be attacked. S.B.O. is useless for the President. But for me, it might significantly reduce the probability of harm, which is what security is all about.

BSD?

If they're so worried about this kind of security stuff, why don't they put embedded OpenBSD systems in each of the phones? They'd be virtually uncrackable seeing how pedantic and strict OpenBSD is about ANY code that goes into their -stable branch.

How easy is it to tap VOIP?

[darealpat]

I think that the true point is not whether the data is "floating about as raw audio" but rather if the data can be readily collected and made into a readable (listenable) voice stream. Wouldn't that be easier to do if the device itself is hacked, or if the data collection is done at the point where it leaves your machine? I may be wrong, but I think that after about two hops, that data stream is no longer a stream in the ether that is the internet, but is more akin to a vapour trail of directed packets....

Re:How easy is it to tap VOIP?

VoIP is no harder to intercept then any other traffic. It is trivial to intercept and decode the voice stream IF you have access to one of the many networks (and routers) between the two endpoints. Gaining access to those networks is the tricky part. The backbone carriers don't let just anyone into their server rooms.

How to Decrease PDF Load Time

[AceViper]

You can drastically speed up PDF load times if you disable all the unneeded plugins:

1. Install Adobe Reader 6.0 and notice where it is installed.
2. Navigate to that folder in Explorer, locate the plug_ins subfolder and rename this folder to plug_ins_disabled.
3. Create a new plug_ins folder.
4. Move the files EWH32.api, printme.api and search.api from plug_ins_disabled to plug_ins.

From http://www.mozilla.org/support/firefox/faq#acrobat

US government reports on security holes?

[rivj0r]

How do I modify that +1 funny?

So what was I supposed to learn?

[modemboy]

Ok I didn't read the 99 page report (probably some good info in there) but this PC World article is pointless.
Ok so they can DOS your network connection and kill your VOIP. Uhhh, if you're being succesfully DOS'ed you've got bigger problems than your VOIP not working.
Oh and the other horror? They can listen to your calls? As the article points out this is currently trivial with the POTS, and again if someone can succesfully listen in on your full network connection you've got bigger problems than your VOIP not working.
So why should I be scared again? Sounds like anti-VOIP F.U.D. to me.

What about Skype?

[Kensho]

Skype has encryption!

Pride and Ego

We all like to think we are smarter than those who went before us.

But how many of our generation have sent anything to the moon?

How many of us electrical engineers actually understand analouge electronics, or the real analouge world for that matter.

No, I say stay with copper. At least it was designed properly.

Maybe...

[raehl]

But it's at least theoretically possible for VoIP to be secure.

My VoIP calls are secure.

[raehl]

Iay cryptenay ithway igpay atinlay.

Bah!

[cduffy]

Yes, it has encryption -- but it's a closed, proprietary solution that's virtually impossible to integrate with anything else.

Convincing all the SIP implementations to support SRTP is the Right Thing as a long-term solution -- heck, just implementing SRTP support for Asterisk would be a big improvement. As an immediate-term solution (particularly for companies using VoIP to connect with remote users or branch offices), running over a VPN (particularly with IAX trunking if you're connecting branch offices, such as to reduce the number of packets sent and so the damage done by per-packet VPN overhead) works well too.

FUD from government

[guardiangod]

Since the government can't crack/control it, they release FUD to discourage the public from using the system.

In this world only the paranoid survive.

Re:FUD from government

that's one of the more disgusting sigs i've seen in a while. rape is like the holocaust... it just isn't very funny.

We need dedicated boxes

[delirium+of+disorder]

As a former phreaker kiddie, http://angelfire.com/linux/the1 I know how trivial it is to "tap" or disable someone's phone with physical access to the outside of their home or the TNI in their neighborhood. This is not a major threat, because someone whould have to directly be targeting your phone to 0wn it...and if you knew people (non-government) were after your phone conversations, you can put a lock on the grey customer access box on your house, and ask your CO to secure your TNI. Perhaps someone could theoretically compromise the CO's switching equiptment, but that required either good social engneering or real leet skills. But your phone is just your phone, nothing else, so attacks are limited.

VOIP is actually more physically secure then PSTN. You can't just hook a speaker up to a DSL line and hear the conversation on it. The problem is, your computer, and every router between you and your VOIP provider, is a general purpose device. Other people and services have access to it for all kinds of legitimate reasons; each of these provides places where people/programs can input data that can potentially directly effect your voice communications or get privilage escilation on the device and indirectly effect it. ANY security person knows to be wary of input! And think of all the ways of getting input to (and theoretically compromising) a PC. What we need is a dedicated physical console for VOIP (a small linksys network device running OpenBSD or Linux and asterix sounds good). The actual VOIP data should be sent through an SSH tunnel or some kind of VPN.

Re:We need dedicated boxes

You could also learn to spell or correctly focus your camera :)

Your analogy is bad.

[raehl]

By your analogy, if you get rid of all the other people in the field, your chances of being hit are still the same. That's not the way security through obscurity is supposed to work.

A better analogy of security through obscurity is you have a guy standing on a tower in the middle of a field with a rifle and one bullet. If you're the only guy in the field, it's going to be you. By filling the field with other people, you virually guarantee you won't be the one who gets shot.

Of course, that doesn't mean that's realistic. The problem with security through obscurity is that the more people you put into the field, the more unsavory people you find trying to get into the tower with a rifle.

"Slashdot" attack.

[valentyn]

"You have been blocked from entering this site.

You have attempted an unknown attack on this site."

Latency issues?!

[grahamsz]

i figured you'd be able to get a stream cipher in there without adding more than a couple of milliseconds.

I'd imagine stream compression would be a harder problem than stream encryption.

Of course you've still got to do some sort of shared key or PK exchange, but that's call setup latency so it's no big deal.

FYI speakfreely

[smartsaga]

I have used this program before to make "secure" point to point voice calls with friends.

http://www.speakfreely.org/

How hard can it be to encrypt packets? How hard can it be to tunnel the VoIP through an SSH tunnel?

So, my free solution here would be to install OpenSSH (yes there is one for windows and its free) and putty. Then you just redirect the port of the VoIP thing and that's it. You just have another setup like that in the other end.

http://sshwindows.sourceforge.net
http://www.chiark.greenend.org.uk/~sgtatham/putty/

Now for a commercial SSH tunnel, use Tunnelier.
http://www.bitvise.com/products.html

Now, I know that in government or any private company or industry money MAY BE a limitation... This is cheap and it has good licensing schemes, so no "buts."

Your IP phones are belong to us... (the unencrypted ones at least) get it?

Have a good one.

Re:FYI speakfreely

[grimwell]

SSH Tunnels for VOIP isn't a very workable solution. It requires me to establish an ssh session with every end-point I want to call or at least the point where my call leaves the 'net & enters the PSTN. This is a serious pain in the ass.

Perhaps a better solution would be something like x.509 certs. End points identify each other(could elimate caller id spoofing) and the end points generate a couple of random keys to use to encrypt the traffic. Hell, if you don't care about identifying the end-points just have the end points generate a couple of random keys and encrypt the traffic.

Basically, it is something that should be added to the protocol and done behind the scenes(so not to the bother the average end user). Maybe running VoIP over IPv6 would be the solution, as IPv6 has ipsec built-in.

Re:FYI speakfreely

[smartsaga]

Yup, something like that. My solution is just for the desperate, the geek that can't wait to encrypt a VoIP conversation and the enthusiast. Of course I mentioned businesses bcause it CAN be done, somehow.

Key escrow?

[Urusai]

And what happened to this fine Orwellian plan? I'd sure hate to think our boys in black would have to trudge out to the field and muck around with hardware when they could cyberjack some ICE on their shiny Unix systems (in 3D).

Ain't No Magic, here.

[iritant]

This report says absolutely nothing new. If you're going to take VoIP seriously, you need to recognize the application's needs. In this case, some amount of QoS is important, particularly at conjestion points such as the last hop to the consumer. You also need to recognize that like any other application on the Internet DDOS is a possibility. Ain't no different.

On the other hand, IPv6 will solve all our problems, right? ;-)

The big problem with VOIP

[prisoner]

isn't the security. Phone calls haven't been secure since shortly after the first one was made. No, the problem with VOIP is working with the fucking idiot phone vendors who do not understand what they are trying to do. I've gotten several calls from local phone guys who don't understand networking in the least and insist that they've assigned proper IP's to the phones at two seperate locations but they won't talk so it is my network problem. They then inform the customer that the problem is with the network and walk off. The phone at location #1 had an IP of 192.168.39.3 and the phone at location #2 192.168.40.5. No VPN between them. They were trying to route the traffic out over the internet connection.

These dipshits sell the customer on thsese solutions and then when it doesn't work (routing probs or dropouts from no QOS) they call us in to sell the customer a couple thousand dollars worth of services and hardware to sell the problem. I don't mind the business but working with a customer who is on the brink of becoming an axe murderer isn't pleasant.

If you are so &*%# worried about it...

[sczimme]

IMHO, PDFs or links, especially unlabelled ones, are less than professional.

Yes, it certainly is unprofessional for a .gov entity to use a document format that can be used easily, effectively, and cheaply by any one of its many constituents - you know, the people that actually paid for the work. What were they thinking??

Look Sparky, if you are so &*%# worried about it, then - before you click on the link - place the mouse pointer (the li'l thingie that you move around the screen to click stuff) on the link. See the full URL displayed at the bottom of your browser window? Look at it carefully. If at the end of this URL you see a p and a d followed by an f, back slowly away from the link. There, you're all better; that mean ol' PDF won't bother you any more...

PS "Less than professional" On /.??!? Say it isn't so! *snicker*

Re:If you are so &*%# worried about it...

[2TecTom]

PDF Usability Crimes
http://www.g4tv.com/screensavers/features/45796/PD F_Usability_Crimes.html

"I hate PDF..."
http://wired-vig.wired.com/news/politics/0,1283,64 346,00.html?tw=wn_tophead_1

PDFs suck, people!
http://www.garethjmsaunders.co.uk/pc/computer/pdf- suckweb.txt

WHY PDFS SUCK
http://jessey.net/archive/2005/02/16/pdfs-suck/

I guess I'm really not to surprised that so many people can't or won't get the whole "PDF" issue. PDFs are not web pages, plain and simple. The use of PDFs for other than for their intended purpose is, yes, less than professional. Of course, I never expected to see so many adobe fan boys here at /., either.

Oh, and of course, the fact that it's a proprietary file format is just so totally irrelevant ... sure.

As well, what happened to your sense of humor? Perhaps that cubicle is really starting to get to you?

Re:If you are so &*%# worried about it...

[sczimme]

I guess I'm really not to surprised that so many people can't or won't get the whole "PDF" issue. PDFs are not web pages, plain and simple.

Neither are MPGs, JPGs, MOVs and myriad other files with links pointing to them.

The use of PDFs for other than for their intended purpose is, yes, less than professional.

The point of PDF is to allow people to view the same document in the same way on many different platforms. I suppose you have a different definition of "intended purpose", but that makes no difference: see what the vendor has to say about it.

Oh, and of course, the fact that it's a proprietary file format is just so totally irrelevant ... sure.

Yes, actually it is irrelevant, and will be as long as freely available and/or open source tools are available to use/create/etc. the format. Proprietary doesn't necessarily mean closed.

As well, what happened to your sense of humor? Perhaps that cubicle is really starting to get to you?

There is no cubicle here - just an office w/ multiple windows, but thanks. :-)

Re:If you are so &*%# worried about it...

[2TecTom]

Neither are MPGs, JPGs, MOVs and myriad other files with links pointing to them.

Sure, and all the issues and problems that have come with them. Sure we use them, but usually only until an open standard becomes widespread.

The point of PDF is to allow people to view the same document in the same way on many different platforms. I suppose you have a different definition of "intended purpose", but that makes no difference: see what the vendor has to say about it.

Actually, the intention was to allow printing and viewing on systems when layout was the issue. You can stretch all you want, but the more you do, the weaker your argument.

Yes, actually it is irrelevant, and will be as long as freely available and/or open source tools are available to use/create/etc. the format. Proprietary doesn't necessarily mean closed.

Actually, it must be relevant, or people wouldn't be debating the issue, now would they? Furthermore, sure, it's a published standard, but hey, it's owned. Who really knows what the owner(s) will choose to do. The whole "Open" movement is about public control versus private control. How could you, or anyone, possible try to claim this to be an irrelevant aspect of this discussion is, quite frankly, entirely beyond me. I'm afraid I must entirely disagree on this point as well.

There is no cubicle here - just an office w/ multiple windows, but thanks

No problem, always happy to guide the lost. :~)

Please, let me add that as a technical writer, I have never, nor would I use a PDF document as a web page. Their proper place is brochures, legal documents and prepress, etc.

The government has a good reason to say this...

[i_want_you_to_throw_]

Sending your calls over VoIP is more difficult to tap. Wiretaps grew by 19% last year (pops new window) and not a one was turned down.

VoIP is much tougher to tap by comparison. Remember kids, "Terrorism" is the new "Communism"(tm)

Re:The government has a good reason to say this...

[KayEyeDoubleDee]

Remember kids, "Terrorism" is the new "Communism"(tm)

Wow. Are the terrorists really on track to kill 100 Million people this century?

Security through Obscenity

[bobbuck]

"Don't listen to my f***ing phone calls you goddam inbred motherf***er! If you do, I'll shove a cactus up your ass!"

Another solution is to

just fucking retire TCP/IP. SCTP, DCCP, CLIP. Hell, at this point, SSH would be a superior alternative.

Just have the entire intarweb running on SSH. One small step for man, one gigantic fucking leap for Al Gore's Internet.

US Gov fears VoIP encryption will defeat wiretaps.

[AgVulpine]

The real effect of scaring the public about VoIP is to ensure their information gathering technology still exists 10 years from now. The intellegence departments know that VoIP over encrypted channels will bring an abrupt end to wire tapping.

"Please, continue to use your local telco, your cell phones, and especially text messaging and email.", some random official might say. "Watching for terrorists has never been so easy!"

no it won't

[geekoid]

" The intellegence departments know that VoIP over encrypted channels will bring an abrupt end to wire tapping."

no, the will install software that intercepts your voice from your pc.

what it will stop, is random selection of conversations and storing conversations on a giant database to be scan 'just in case'.

Re:no it won't

[AgVulpine]

And how do you figure the FBI is going to install ANYTHING on my PC? Osmosis?

not true

[geekoid]

it's a layer, and as all security it should be used appropriatly.

also, making it obscure means someone will have to be rooting around which gives you an opportunity to catch them.

Internet telephony who to choose.

[SSalvatore]

There is a lot of internet phone companies outthere (Vonage, Net2Phone). I want to get an Internet telephone in my home this month. Which one should I choose?, what is you experience with these different services?

how to tap

some people are wondering how easy it really is to rip the data out of a wire. I used to work with a few voip boxes and as long as they use RTP (all that i saw did) you can use ethereal

capture->stop
statistics->RTP->Show all streams
(also stream analysis)

now you can play back each direction of the call individually since each is a different stream, you can also save it as a wave