Slashdot Mirror
Zimmermann, Encrypted VoIP, and Uncle Sam
An anonymous reader noted that Phillip Zimmermann and his VoIP encryption software are the subject of a NY Times article today. The article touches on the FCC, privacy, and related issues. Given all the suspicious behavior of the Bush Administration relating to wiretaps and phone records, this sort of thing is all the more important to be very aware of.
It's also available from Cryptome:
http://cryptome.org/zfone-agree.htm
why would people with nothing to hide want to have their personal conversations listened to? And why would we want to spend our tax money to spy on people who have nothing to hide? Shouldn't we be after the terrorists instead?
Really, I mean why do people wear clothes for that matter? I mean we are all made of meat covered in skin. We all know what human bodies look like. Everyone should just go naked from now on. Who needs privacy when you have nothing to hide?
From another NYTimes article, Bush Aide Defends Eavesdropping on Phone Calls(emphasis mine):
So why exactly is the government getting their knickers in a twist over Zfone? After all, the program is just intended to compile a database of call information, not actually listen to the content of the conversations. Doing that, as the administration has repeatedly told us, would require a court order.
So if you have a person you suspect from the numbers he's connected with, and you do obtain that court order, and it turns out he's using Zfone, there are other ways of getting the content of that conversation (hint: it has to be unencrypted at some point, so the 'terrorists' can understand each other). Arduous, sure, but since this will be done on only a select few, it's not that much of a hardship.
No, the reason the government doesn't like Zfone is because they want perform blanket surveillance on all American citizens; to listen to all our calls, all the time. By utilizing speech-recognition software and an ever growing list of suspect words and phrases, they will be able to keep tabs on the unruly U.S. population, weeding out terrorists, political dissidents, environmentalists, Democrats, and other 'undesirables'.
____
~ |rip/\/\aster /\/\onkey
How do you even know what you need to hide anymore?
The meaning of the word terrorist could change at any moment and the deffinition of enemy combatant is equaly fluid.
Your logic is flawed anyway... criminals are not the only group who like privacy.
I don't give a damn for a man that can only spell a word one way.
Mark Twain
Everyone should just go naked from now on
AMEN to that!
Nyhetsankaret.com -- det bÃsta av Sveriges Nyhetssido
Very true. But whenever technology gets involved in a discussion, people's eyes sort of glaze over. No one knows what's going on, they just hear Internet phone calls, terrorism, and encryption. While you and I know that anyone intercepting a packet (encrypted or not) can tell where it came from and where it's going, America doesn't. They probably think it's an effort at parity between VOIP and normal phone calls (if they know what VOIP is).
For the same reason I keep the curtains drawn in my bedroom windows at night, esp. when the s/o gets frisky.
Just because me and my s/o's bedroom activities are perfectly legal doesn't mean I want everyone else (let alone the government) monitoring it.
Quo usque tandem abutere, Nimbus, patientia nostra?
Really, I mean why do people wear clothes for that matter? I mean we are all made of meat covered in skin. We all know what human bodies look like. Everyone should just go naked from now on. Who needs privacy when you have nothing to hide?
I tried that. They sent a bunch of burly guys to force me into a striped one-piece jumpsuit.
-1 Uncomfortable Truth
and all that relates to national security. CALEA, the thing that allows wiretaps under warrant, is in place for all previous communications methods, including paging. What government wants is CALEA type access to new communications types. HOWEVER: Neither the constitution, any ammendment, any subsequent law, or even terms of use, specify that your communications have to be made in an open unenctrypted manner. In fact, in the US, if there is no evidence, there is no crime, and no way to know the criminal. Its all part of that innocent until proven guilty mindset.
... at least not yet.
If all your telephone calls, emails, etc. are encrypted by you and the other intended party or parties involved, there simply is nothing the government can do about it. With probable cause, they can 'try' to compel you to divulge the encryption key, but then you don't have to testify against yourself in the U.S.
Neither can the government, church, or any other person(s) compel you to divulge your thoughts, or secrets.
Its time for the encryption phones to start appearing on the market.
This little problem will quickly spiral out of control until those that want to snoop on others have more work to do than they ever imagined. The basic problem here is that the people they say they want to spy on are not using the communication systems the same way as everyone else, and their communications are encrypted, or hidden in ways the government cannot prevent, nor detect with the laws and practices that they wish to install.
Wiretapping on the scales being talked about recently are stupid, prohibitively stupid, and will be nearly 100% ineffectual.
They can't find Bin Laden with all the military might, but somehow they are going to catch him making a phone call? uh, yeah right.... of course, its the little people that lead to the big ones, but they have been spying on the little ones all along... still haven't caught him.
Support NYCountryLawyer RIAA vs People
Be careful what you wish for.
I'm at work at the moment so I can't do a proper search for images but think about it: would you want to see Margaret Thatcher walking around naked?
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Phil took an open source VOIP client and added encryption to it. By his own admission, he doesn't know much about how to make VOIP work well, codecs and all that. But his encryption is very clever. It uses Diffie-Helman to generate a per-session key, which is stored in a completely volitile way. i.e. it is destroyed after the call terminates and cannot be retrieved (stored in memory which is then overwritten). So, even if a man (or government) in the middle records the RTP stream and then gets a search warrant to get the key to decrypt the call, it won't be there.
Look for his techniques for peer to peer key setup, which again is very clever and well thought out, to be used in a variety of new ways. I expect you will see a bit-t client soon that can also generate this one time session key between peers. It will be much more computationally intense than what you see bit-t clients like Azureus do to the CPU now, but no more than using S/FTP. Well, maybe more, because of the number of keys being setup and destroyed and the memory allocation needed in a swarm situation. But for peer to peer calls, it's strong and I expect that Phil, who was nearly bankrupted by Uncle Sam, trying to defend himself, will again be the NSA crosshairs. The guy is just a warrior, what can you say? Guys like him and Klein who blew the whistle on AT&T are the ones fighting for privacy and against a police state. And they will not be treated kindly by this administration.
Well, let's see, why do people wear clothes? Shrinkage. Brown and yellow stains on furniture. Getting pubic hair stuck. Seeing the US senate naked. I think those are excellent reasons. Yours may differ. If the US starts going all naked, I'm moving.
Just don't leave the country again Zimmerman...or you may end up locked inside that customs office where they 'want to leave lawyers out of this' again. :)
PGP Story:
MPG 1.1G
WMV 378M
So, I'm the evil-agency-du-jour and today I'm auditing IP traffic. If you are a person of interest, they know:
1. You are sending packets to and from specific IP addresses.
2. Grabbing copies of those packets.
3. Putting super-computers to work on them.
4. Discover you are ordering pizza over SIP. (whatever, it's funny)
The concept of "Privacy" was dead a long time ago. I *still* don't understand the outrage when most of your activity is available through many data brokers. What's not there, is available with little procedural check or balance.
Where it is very valuable is company to company communication. Where your competitors may not have the expertise to get the info.
But, then there's the encryption problem anyone has that uses it. It's stupifyingly easy to build a case on suspicion. Trying someone in the court of public opinion is easy and swift. "He uses encryption so he must be hiding something.." is all it takes to end a career, destroy your social status.
Cryptographer==criminal. Film at 11.
If one can codify it's everyday use, I think it's a big step forward.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
This is an excellent article that rebuts your argument that is both concise and eloquent: http://wired.com/news/columns/0,70886-0.html?tw=wn _index_23
Terrorists are already using encryption to protect their privacy. Don't you think you should as well?
"Man in the middle" attacks are generally mitigated against by using a large initial key (such as the host key used by SSH, or the x.509 cert used by SSL) to guard an exchange of a smaller temporary session key as a shared secret, which is time-sensitive and is regenerated periodicly. You'd have to break the 1024-bit key or whatnot very rapidly, in the matter of a few hours, or else you'd be too late to do a replay or MitM attack.
. htm
This has a reasonable set of diagrams which describe the process:
http://www.netip.com/articles/keith/diffie-helman
It helps to have a registry or Certifying Authority available which has a list of published public keys...
"The human race's favorite method for being in control of the facts is to ignore them." -Celia Green
If he's still using the system he presented last summer at BlackHat, he's actually doing something rather clever:
The system does a standard Diffie-Hellman key exchange between the two softphones, and hashes that exchange to words that each caller is supposed to read to the other (you see what they're supposed to say, and they see what you're supposed to say). So, unless the man-in-the-middle can also impersonate your voice, MITM'ing the connection is very difficult.
Also, the hashes used to generate that vocal exchange are stored for each destination you call for every call, and fed into the new hash generation. So, even if you skip a round of comparing the hashes, if you do it for a later call & it works, you can be assured that the *previous* call was also clean.
Before you launch into yet another tirade against the president, bear in mind that our divided Congress consistently allows things like this. This isn't a Bush thing or a Republican thing. This is a beaurocratic, ivory tower, professional politician thing. This happens because we elect the very wealthy from both parties, so that the majority of our elective government has very little connection with their constituents. We create political dynasties, voting for celebrities rather than leaders. Our current political situation isn't due to one man or one party, but rather one entire nation ignoring its own wellbeing in favor of the candidate with the best sound-bites and the stiffest hair. We might as well be getting our political news from E!: who cares how they voted, let's find out which congressman is cheating on his wife this week and what Hillary wore to session today.
120 characters for a sig? That's bloody useless.
If they have sufficient evidence to meet a reasonable probable cause standard, why not just let them into the house to bug the device itself? There are devices out there for keyboards which have a few hundred KB of memory and that sit between the keyboard and the port on the back of the PC.
They don't need to block encryption, except to keep tabs on people that wouldn't meet the legal requirements. If they can't meet the legal requirements for a warrant to break into the suspect's house and bug them, then chances are the person hasn't committed a crime.
Sorry, sir, but you are completely wrong. ANY VoIP-capable computer can encrypt a 12kbps stream with a 1024-bit key. And -- unless the whole academia is wrong and all the current off-the-shelf crypto algorithms have crypto flaws, no, not every supercomputer in the face of the earth could break the encryption. One would have to get the keys in another fashion to listen to the talks.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
From "The Eternal Value of Privacy" by Bruce Schneier in Wired (http://www.wired.com/news/columns/0,70886-0.html
"... accept the premise that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect."
Free minds. The greatest chilling effect of universal surveillance doesn't come from men in black vans. It comes from being unveiled as a Commie, or an Islamic Sympathizer, or even A Guy Who Googled for "Fatties" in front of your friends/employers/relatives/whatever. The greatest force against freedom in our society is us.
Not one of Sen. McCarthy's victims was actually thrown in a gulag. Think about that. They weren't fired by the government. They were fired by PHBs who acted in blind sympathy with loudmouthed bureaucrats. There would have been no McCarthyism if the public had not been willing to punish itself for unpopular thought and/or speech.
We need a society in which there's no difference between what's illegal and what harms others, and holds all other things not only legal, but acceptable. Once we have that society, people who have done nothing to harm others really will have little to fear. But there's one more thing: If we're going to use public safety as an excuse for universal surveillance, we have to give the power of surveillance to everyone, not just government.
Privacy advocates might cringe at that last statment, but consider this: People are getting more wired, surveillance is getting easier and cheaper, and that trend may never reverse. There may be nothing we can do to stop privacy from dying. Maybe we should start thinking about what we're going to do when it does.
Step into a huge movement. Don't Tread In Me.
The problem is, far Far FAR FAR more often it is not.
But it is ALWAYS subject to abuse.
Being Free means that we accept the risk that the "bad guys" will abuse that Freedom to hurt/kill some of our citizens.
But they will never defeat us. Only we can do that by surrendering our Freedom for the illusion of "safety".
Where's the Zfone (or interoperable) SIP module for Asterisk? And which softphones & ATAs already include one?
--
make install -not war
You say things that offend me and I can deal with it. Can you?
> By utilizing speech-recognition software and an ever growing list of suspect words and phrases,
> they will be able to keep tabs on the unruly U.S. population, weeding out terrorists,
> political dissidents, environmentalists, Democrats, and other 'undesirables'.
Those evil Republicans! Except, wait... wasn't it the Clinton Administration that launched a 3-year criminal investigation of Phil Zimmerman in 1993?
And wasn't that the same President who championed the Clipper chip, so the government would have the keys it needed to decrypt your phone calls?First and foremost, I'm a long time fan of PRZ... he's a hero among heros and should be credited as such.
Secondly, am I missing the hardware solutions for things like this? I've been a Vonage customer for some time, and while Vonage seems to take a blind eye to security (just ask them they'll tell you they are happy to work with the local and federal law enforcement agencies). When will I be able to use a handheld, encrypted VOIP device, and be sure that its secure?
think before you write, it'll save me moderator points.
I contend that they can find Bin Laden, but don't really want to. The minute he's captured, any (remaining) support for continuing the "War On Terror" goes right out the window. As long as he's out there, the administration can yell "9/11" to justify anything they want and the sheeple will buy it.
Flame me if you want, but the Bush Administration is EVIL. I'm not saying that Bush himself is evil (he's not that smart), but his policies and cronies - you know it baby.
It must have been something you assimilated. . . .
Just as an addition, the "Off-the-Record (OTR) Messaging" plugin for Gaim offers a similar setup for instant messaging. (You can use it with other IM clients as well; it works with stock AIM as an HTTP proxy and is built in to Adium for Mac.)
In my opinion, it's a much better system than some of the other IM encryption setups, which give you authentication but not any forward secrecy or deniability. Basically it forces you to authenticate the other party via a side-channel, rather than using a trust framework a la PGP, but in return the authentication can't be turned around and used against you after the fact.
It does this via an unauthenticated Diffie-Hellman key exchange, and then creating and exchanging a per-session symmetric key within that channel, which is destroyed at the end of the conversation. More technical information is available here.
In short it provides more authentication than Trillian's setup, more deniability than gaim-encryption, and doesn't require any of the infrastructure required by SILC. The only difficulty in using it is getting other people to use a supported client program and to install the plugin / generate a key.
I think there's room for both types of encrypted communications: ones that provide a trust framework and robust authentication, and ones that provide for more deniability (and allow the computerized century equivalents of a face-to-face meeting, where if both people desire it, they can deny the contents of the communication later).
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Sorry but the idea that we all have to give up our freedom to be safe and free is just beyond stupid.
Thanks to eating disorders most chicks are reasonably good looking these days.
Imagine, a Republican administration using laws created by Bill Clinton's Democrat administration to monitor international phone calls of known terrorists.
Incredibly suspicious.
Cut to my room, opening the front door.
"Yes officer?"
"You had a conversation with unlicensed encryption keys."
"I did not, I sent my keys to the government as ordered."
"They don't fit."
"Gee, beats me, I never really figure out those tech thingies, must've done something when I wasn't looking, I'm sooooo sorry."
Hey, why should claiming stupidity only work when you're spreading malware?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Gurrrk.
Put some more thought into this one. There are any number of things that are "unacceptable" that aren't bad enough to merit applying the might and majesty of the State's criminal justice system. By denying all social sanctions short of criminal prosecution, you create a society with the worst of both worlds: a plague of officers (lawyers) worse than what we have now, along with a degree of rudeness that would make the French recoil in horror.
Time was when being rude enough in public would get you tossed into the street by half of the men in the place. We solved that (and I'm not sure it was the wrong thing to do) by criminalizing the eviction as assault -- but now we have people carrying on loud cellphone conversations during movies.
Shunning and scorn aren't on the order of a punch in the nose -- don't deny us those as well.
Lacking <sarcasm> tags,
"Is the government enforcing a law that terrifying to you?"
Depends on the law. A substantial fraction of the recent ones are, in fact, pretty terrifying.
Why yes, I AM a rocket scientist!
Politico: A political person.
Politaco: Mr. Malda when he mixes personal politics with news.
why would people with nothing to hide want to encrypt their conversations.
Because it's none of your fucking business that's why
Seven puppies were harmed during the making of this post.
So, you don't use envelopes for mail either, do you?
Why yes, I AM a rocket scientist!
You're right - my post was an oversimplification. Talking loudly in a movie theater steps on the toes of other moviegoers, and you should be able to snark at those people without having them arrested. I guess my point was that "your freedom ends where my nose begins," is a system that works better when people are less nose-y.
Gay marriage is a perfect example. When this subject comes up, people turn out in droves to vote against other people's freedom. And then they complain when the majority votes to outlaw their rifle collection, or to make their smoking habit ruinously expensive, not realizing that by voting to manage someone else's behavior, they've just legitimized society's power to manage theirs.
And that gets back into the power of law, but the same principles apply to what people accept or don't accept in each other. If I establish that it's okay for me to fire someone purely for being gay/Commie/whatever, then I've also established that it's okay for you to fire me for being ugly/Democrat/whatever.
Step into a huge movement. Don't Tread In Me.
How do you go about that? Suppose I were to set up a small business reselling GPG or something similar. Does the government simply hand me a copy of the watch list and let me do the checking myself? Or must I pass along the names of all my customers to them for authorisation to sell it on?
Real Daleks don't climb stairs - they level the building.
It's pretty clear that the War of Independance would have never begun if Britain had had the technology and power currently available to the US Government.
The various colonies in North America had meetings that were critical to organising a force and also for turning public opinion.
The US government currently is able to, and obviously does spy on American citizens without the kind of oversight which would allow us to even decide whether it is done for just cause.
Reread that part. We have no way of determining whether they have any just cause.
There are two questions:
Yeah they pretty much hand you the lists
/ delimit/index.shtml
http://www.treas.gov/offices/enforcement/ofac/sdn
Of course some of the entries are obviously from gathered inteliigence. I recall having to block anyone called "The Chess Player" from signing up. Unfortunately most websites don't gather date of birth, and when you do name only matching you catch a lot of innocent people - who are usually mightily pissed off about having to call EVERY SINGLE SITE that they try to sign up for.
The other big caveat is what you're supposed to do when you find a match - it's virtually impossible to stop them just changing their details and signing up again.
Yes, I know that we are spending tax money to spy on people who have nothing to hide rather than on fighting terrorism.
>Mr. Zimmermann, the registration page that is being refered to only asks for you email >address, thus your argument is invalid in this case. So why do you require registration? I told you why already. The wording of your posting implies you don't believe me. If you need more convincing, go to my Zfone FAQ page (http://philzimmermann.com/EN/zfone/index-faq.html ) where I address this particular question in great detail. If you still don't believe me after reading that, you are welcome to not use the product, and apply for a full refund. --prz
The Scarfo case. An accused mobster was using PGP, the FBI got a warrant, and tapped his computer with what sounds like a hardware keylogger.
I'll try to save myself from being offtopic by asking whether zFone might be equally vulnerable (probably not, the few leaks about Skype's crypto haven't sounded encouraging).
...inherently distrust government no matter who is in power. Libertarians always view the government as untrustworthy, expansive, over-reaching, and inefficient by it's very nature. Thus the idea is to limit the government to its most basic and fundamental operations as set forth in the Constitution by our founding fathers.
The lines between the Dems and the Reps here in the US have blurred to the point that distinction is negligible.
Libertas in infinitum