Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zimmermann, Encrypted VoIP, and Uncle Sam

Posted by ryuzaki0 on from the something-to-think-about dept.

An anonymous reader noted that Phillip Zimmermann and his VoIP encryption software are the subject of a NY Times article today. The article touches on the FCC, privacy, and related issues. Given all the suspicious behavior of the Bush Administration relating to wiretaps and phone records, this sort of thing is all the more important to be very aware of.

11 of 325 comments (clear)

  1. Re:nothing to hide by bung-foo · · Score: 5, Informative

    Really, I mean why do people wear clothes for that matter? I mean we are all made of meat covered in skin. We all know what human bodies look like. Everyone should just go naked from now on. Who needs privacy when you have nothing to hide?

  2. Know how it works... by GPLDAN · · Score: 5, Informative

    Phil took an open source VOIP client and added encryption to it. By his own admission, he doesn't know much about how to make VOIP work well, codecs and all that. But his encryption is very clever. It uses Diffie-Helman to generate a per-session key, which is stored in a completely volitile way. i.e. it is destroyed after the call terminates and cannot be retrieved (stored in memory which is then overwritten). So, even if a man (or government) in the middle records the RTP stream and then gets a search warrant to get the key to decrypt the call, it won't be there.

    Look for his techniques for peer to peer key setup, which again is very clever and well thought out, to be used in a variety of new ways. I expect you will see a bit-t client soon that can also generate this one time session key between peers. It will be much more computationally intense than what you see bit-t clients like Azureus do to the CPU now, but no more than using S/FTP. Well, maybe more, because of the number of keys being setup and destroyed and the memory allocation needed in a swarm situation. But for peer to peer calls, it's strong and I expect that Phil, who was nearly bankrupted by Uncle Sam, trying to defend himself, will again be the NSA crosshairs. The guy is just a warrior, what can you say? Guys like him and Klein who blew the whistle on AT&T are the ones fighting for privacy and against a police state. And they will not be treated kindly by this administration.

  3. Re:Cryptome by prz · · Score: 5, Informative

    I wish Cryptome would not redistribute my Zfone software. This morning I had to upload a new version due to a last minute mistake we made before the release, and Cryptome probably got the uncorrected version. This is beta software in flux, rapidly changing with new updates likely, especially shortly after it hits when we discover early problems. Further, I've just added critical warnngs to my web site about how to do the installation for Windows, and if someone grabs the software and posts it somewhere else, it will lack those warnings. There are good reasons why I want to maintain control of the distribution, especially during the initial public beta. --Philip Zimmermann (prz@mit.edu)

  4. Re:nothing to hide by hibji · · Score: 4, Informative

    This is an excellent article that rebuts your argument that is both concise and eloquent: http://wired.com/news/columns/0,70886-0.html?tw=wn _index_23

  5. Re:Didn't read the tech specs ... by cswiger2005 · · Score: 3, Informative

    "Man in the middle" attacks are generally mitigated against by using a large initial key (such as the host key used by SSH, or the x.509 cert used by SSL) to guard an exchange of a smaller temporary session key as a shared secret, which is time-sensitive and is regenerated periodicly. You'd have to break the 1024-bit key or whatnot very rapidly, in the matter of a few hours, or else you'd be too late to do a replay or MitM attack.

    This has a reasonable set of diagrams which describe the process:

    http://www.netip.com/articles/keith/diffie-helman. htm

    It helps to have a registry or Certifying Authority available which has a list of published public keys...

    --
    "The human race's favorite method for being in control of the facts is to ignore them." -Celia Green
  6. It wasn't all Bush by randomErr · · Score: 3, Informative
    I would like to point out that wire/phone taps have been a staple of American history:
    From Wikipedia

    During the American Civil War, government officials under President Abraham Lincoln eavesdropped on telegraph conversations. Wiretapping has also been carried out under most Presidents, usually with a lawful warrant since the Supreme Court ruled it constitutional in 1928. Domestic wiretapping under the Clinton administration led to the capture of Aldrich Ames, a former Soviet spy in 1994. Robert F. Kennedy monitored the activity of Martin Luther King Jr. by wiretapping in 1966.

    --
    You say things that offend me and I can deal with it. Can you?
  7. Re:Brave New World by pjrc · · Score: 3, Informative
    Some time ago, I implemented 3DES on an 8 bit microcontroller. In assembly language, it took about 2000 instruction cycles to run all 16 rounds of DES, plus the initial and final permutation, and the xor for CBC.

    So if you run it 3 times for triple des, that's approx 6000 instructions for every 8 bytes, or about 750 instruction cycles per byte. At 8000 bytes/sec for voice quality audio, my fast DES code would only need 6 MIPS on an 8 bit microcontroller. A slower version in C is readily available for free, which runs about 5X slower than my hand optimized assembly, requiring 30 MIPS.

    Certainly strong encryption is feasible in real time for voice audio, even on very inexpensive 8-bit chips.

    --
    PJRC: Electronic Projects, 8051 Microcontroller Tools
  8. Re:Cryptome by prz · · Score: 5, Informative

    Although the US has ended most of their export controls for crypto software, there are still some reasonable export controls in place, namely, to prevent the software from being exported to a few embargoed nations, such as North Korea, Iran, Libya, Syria, and Sudan. And for commercial encryption software that you actually pay for (not this free public beta), there are now requirements to check customers against government watch lists as well, which is something that companies such as PGP comply with these days. PGP Corp volunteered to host the public beta software on their server, with all the appropriate checks in place. That's why you have to register, to make sure you are not in an embargoed country, to keep me in compliance with U.S. export laws. Been there, done that. -Philip Zimmermann

  9. They give you the list by grahamsz · · Score: 3, Informative

    Yeah they pretty much hand you the lists

    http://www.treas.gov/offices/enforcement/ofac/sdn/ delimit/index.shtml

    Of course some of the entries are obviously from gathered inteliigence. I recall having to block anyone called "The Chess Player" from signing up. Unfortunately most websites don't gather date of birth, and when you do name only matching you catch a lot of innocent people - who are usually mightily pissed off about having to call EVERY SINGLE SITE that they try to sign up for.

    The other big caveat is what you're supposed to do when you find a match - it's virtually impossible to stop them just changing their details and signing up again.

  10. Example of why you're right by Beryllium+Sphere(tm) · · Score: 3, Informative

    The Scarfo case. An accused mobster was using PGP, the FBI got a warrant, and tapped his computer with what sounds like a hardware keylogger.

  11. This is why libertarians... by SonicSpike · · Score: 3, Informative

    ...inherently distrust government no matter who is in power. Libertarians always view the government as untrustworthy, expansive, over-reaching, and inefficient by it's very nature. Thus the idea is to limit the government to its most basic and fundamental operations as set forth in the Constitution by our founding fathers.

    The lines between the Dems and the Reps here in the US have blurred to the point that distinction is negligible.

    --
    Libertas in infinitum