Slashdot Mirror
Zimmermann, Encrypted VoIP, and Uncle Sam
An anonymous reader noted that Phillip Zimmermann and his VoIP encryption software are the subject of a NY Times article today. The article touches on the FCC, privacy, and related issues. Given all the suspicious behavior of the Bush Administration relating to wiretaps and phone records, this sort of thing is all the more important to be very aware of.
why would people with nothing to hide want to have their personal conversations listened to? And why would we want to spend our tax money to spy on people who have nothing to hide? Shouldn't we be after the terrorists instead?
Really, I mean why do people wear clothes for that matter? I mean we are all made of meat covered in skin. We all know what human bodies look like. Everyone should just go naked from now on. Who needs privacy when you have nothing to hide?
From another NYTimes article, Bush Aide Defends Eavesdropping on Phone Calls(emphasis mine):
So why exactly is the government getting their knickers in a twist over Zfone? After all, the program is just intended to compile a database of call information, not actually listen to the content of the conversations. Doing that, as the administration has repeatedly told us, would require a court order.
So if you have a person you suspect from the numbers he's connected with, and you do obtain that court order, and it turns out he's using Zfone, there are other ways of getting the content of that conversation (hint: it has to be unencrypted at some point, so the 'terrorists' can understand each other). Arduous, sure, but since this will be done on only a select few, it's not that much of a hardship.
No, the reason the government doesn't like Zfone is because they want perform blanket surveillance on all American citizens; to listen to all our calls, all the time. By utilizing speech-recognition software and an ever growing list of suspect words and phrases, they will be able to keep tabs on the unruly U.S. population, weeding out terrorists, political dissidents, environmentalists, Democrats, and other 'undesirables'.
____
~ |rip/\/\aster /\/\onkey
How do you even know what you need to hide anymore?
The meaning of the word terrorist could change at any moment and the deffinition of enemy combatant is equaly fluid.
Your logic is flawed anyway... criminals are not the only group who like privacy.
I don't give a damn for a man that can only spell a word one way.
Mark Twain
Everyone should just go naked from now on
AMEN to that!
Nyhetsankaret.com -- det bÃsta av Sveriges Nyhetssido
Very true. But whenever technology gets involved in a discussion, people's eyes sort of glaze over. No one knows what's going on, they just hear Internet phone calls, terrorism, and encryption. While you and I know that anyone intercepting a packet (encrypted or not) can tell where it came from and where it's going, America doesn't. They probably think it's an effort at parity between VOIP and normal phone calls (if they know what VOIP is).
For the same reason I keep the curtains drawn in my bedroom windows at night, esp. when the s/o gets frisky.
Just because me and my s/o's bedroom activities are perfectly legal doesn't mean I want everyone else (let alone the government) monitoring it.
Quo usque tandem abutere, Nimbus, patientia nostra?
and all that relates to national security. CALEA, the thing that allows wiretaps under warrant, is in place for all previous communications methods, including paging. What government wants is CALEA type access to new communications types. HOWEVER: Neither the constitution, any ammendment, any subsequent law, or even terms of use, specify that your communications have to be made in an open unenctrypted manner. In fact, in the US, if there is no evidence, there is no crime, and no way to know the criminal. Its all part of that innocent until proven guilty mindset.
... at least not yet.
If all your telephone calls, emails, etc. are encrypted by you and the other intended party or parties involved, there simply is nothing the government can do about it. With probable cause, they can 'try' to compel you to divulge the encryption key, but then you don't have to testify against yourself in the U.S.
Neither can the government, church, or any other person(s) compel you to divulge your thoughts, or secrets.
Its time for the encryption phones to start appearing on the market.
This little problem will quickly spiral out of control until those that want to snoop on others have more work to do than they ever imagined. The basic problem here is that the people they say they want to spy on are not using the communication systems the same way as everyone else, and their communications are encrypted, or hidden in ways the government cannot prevent, nor detect with the laws and practices that they wish to install.
Wiretapping on the scales being talked about recently are stupid, prohibitively stupid, and will be nearly 100% ineffectual.
They can't find Bin Laden with all the military might, but somehow they are going to catch him making a phone call? uh, yeah right.... of course, its the little people that lead to the big ones, but they have been spying on the little ones all along... still haven't caught him.
Support NYCountryLawyer RIAA vs People
Phil took an open source VOIP client and added encryption to it. By his own admission, he doesn't know much about how to make VOIP work well, codecs and all that. But his encryption is very clever. It uses Diffie-Helman to generate a per-session key, which is stored in a completely volitile way. i.e. it is destroyed after the call terminates and cannot be retrieved (stored in memory which is then overwritten). So, even if a man (or government) in the middle records the RTP stream and then gets a search warrant to get the key to decrypt the call, it won't be there.
Look for his techniques for peer to peer key setup, which again is very clever and well thought out, to be used in a variety of new ways. I expect you will see a bit-t client soon that can also generate this one time session key between peers. It will be much more computationally intense than what you see bit-t clients like Azureus do to the CPU now, but no more than using S/FTP. Well, maybe more, because of the number of keys being setup and destroyed and the memory allocation needed in a swarm situation. But for peer to peer calls, it's strong and I expect that Phil, who was nearly bankrupted by Uncle Sam, trying to defend himself, will again be the NSA crosshairs. The guy is just a warrior, what can you say? Guys like him and Klein who blew the whistle on AT&T are the ones fighting for privacy and against a police state. And they will not be treated kindly by this administration.
Well, let's see, why do people wear clothes? Shrinkage. Brown and yellow stains on furniture. Getting pubic hair stuck. Seeing the US senate naked. I think those are excellent reasons. Yours may differ. If the US starts going all naked, I'm moving.
Just don't leave the country again Zimmerman...or you may end up locked inside that customs office where they 'want to leave lawyers out of this' again. :)
PGP Story:
MPG 1.1G
WMV 378M
I wish Cryptome would not redistribute my Zfone software. This morning I had to upload a new version due to a last minute mistake we made before the release, and Cryptome probably got the uncorrected version. This is beta software in flux, rapidly changing with new updates likely, especially shortly after it hits when we discover early problems. Further, I've just added critical warnngs to my web site about how to do the installation for Windows, and if someone grabs the software and posts it somewhere else, it will lack those warnings. There are good reasons why I want to maintain control of the distribution, especially during the initial public beta. --Philip Zimmermann (prz@mit.edu)
So, I'm the evil-agency-du-jour and today I'm auditing IP traffic. If you are a person of interest, they know:
1. You are sending packets to and from specific IP addresses.
2. Grabbing copies of those packets.
3. Putting super-computers to work on them.
4. Discover you are ordering pizza over SIP. (whatever, it's funny)
The concept of "Privacy" was dead a long time ago. I *still* don't understand the outrage when most of your activity is available through many data brokers. What's not there, is available with little procedural check or balance.
Where it is very valuable is company to company communication. Where your competitors may not have the expertise to get the info.
But, then there's the encryption problem anyone has that uses it. It's stupifyingly easy to build a case on suspicion. Trying someone in the court of public opinion is easy and swift. "He uses encryption so he must be hiding something.." is all it takes to end a career, destroy your social status.
Cryptographer==criminal. Film at 11.
If one can codify it's everyday use, I think it's a big step forward.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
This is an excellent article that rebuts your argument that is both concise and eloquent: http://wired.com/news/columns/0,70886-0.html?tw=wn _index_23
Terrorists are already using encryption to protect their privacy. Don't you think you should as well?
"Man in the middle" attacks are generally mitigated against by using a large initial key (such as the host key used by SSH, or the x.509 cert used by SSL) to guard an exchange of a smaller temporary session key as a shared secret, which is time-sensitive and is regenerated periodicly. You'd have to break the 1024-bit key or whatnot very rapidly, in the matter of a few hours, or else you'd be too late to do a replay or MitM attack.
. htm
This has a reasonable set of diagrams which describe the process:
http://www.netip.com/articles/keith/diffie-helman
It helps to have a registry or Certifying Authority available which has a list of published public keys...
"The human race's favorite method for being in control of the facts is to ignore them." -Celia Green
If he's still using the system he presented last summer at BlackHat, he's actually doing something rather clever:
The system does a standard Diffie-Hellman key exchange between the two softphones, and hashes that exchange to words that each caller is supposed to read to the other (you see what they're supposed to say, and they see what you're supposed to say). So, unless the man-in-the-middle can also impersonate your voice, MITM'ing the connection is very difficult.
Also, the hashes used to generate that vocal exchange are stored for each destination you call for every call, and fed into the new hash generation. So, even if you skip a round of comparing the hashes, if you do it for a later call & it works, you can be assured that the *previous* call was also clean.
Before you launch into yet another tirade against the president, bear in mind that our divided Congress consistently allows things like this. This isn't a Bush thing or a Republican thing. This is a beaurocratic, ivory tower, professional politician thing. This happens because we elect the very wealthy from both parties, so that the majority of our elective government has very little connection with their constituents. We create political dynasties, voting for celebrities rather than leaders. Our current political situation isn't due to one man or one party, but rather one entire nation ignoring its own wellbeing in favor of the candidate with the best sound-bites and the stiffest hair. We might as well be getting our political news from E!: who cares how they voted, let's find out which congressman is cheating on his wife this week and what Hillary wore to session today.
120 characters for a sig? That's bloody useless.
If they have sufficient evidence to meet a reasonable probable cause standard, why not just let them into the house to bug the device itself? There are devices out there for keyboards which have a few hundred KB of memory and that sit between the keyboard and the port on the back of the PC.
They don't need to block encryption, except to keep tabs on people that wouldn't meet the legal requirements. If they can't meet the legal requirements for a warrant to break into the suspect's house and bug them, then chances are the person hasn't committed a crime.
Free minds. The greatest chilling effect of universal surveillance doesn't come from men in black vans. It comes from being unveiled as a Commie, or an Islamic Sympathizer, or even A Guy Who Googled for "Fatties" in front of your friends/employers/relatives/whatever. The greatest force against freedom in our society is us.
Not one of Sen. McCarthy's victims was actually thrown in a gulag. Think about that. They weren't fired by the government. They were fired by PHBs who acted in blind sympathy with loudmouthed bureaucrats. There would have been no McCarthyism if the public had not been willing to punish itself for unpopular thought and/or speech.
We need a society in which there's no difference between what's illegal and what harms others, and holds all other things not only legal, but acceptable. Once we have that society, people who have done nothing to harm others really will have little to fear. But there's one more thing: If we're going to use public safety as an excuse for universal surveillance, we have to give the power of surveillance to everyone, not just government.
Privacy advocates might cringe at that last statment, but consider this: People are getting more wired, surveillance is getting easier and cheaper, and that trend may never reverse. There may be nothing we can do to stop privacy from dying. Maybe we should start thinking about what we're going to do when it does.
Step into a huge movement. Don't Tread In Me.
Then why do you insist on having people register in order to download, instead of providing a simple link?
For better or worse, people interested in this type of technology also have a vested interest in anonymity.
You say things that offend me and I can deal with it. Can you?
> By utilizing speech-recognition software and an ever growing list of suspect words and phrases,
> they will be able to keep tabs on the unruly U.S. population, weeding out terrorists,
> political dissidents, environmentalists, Democrats, and other 'undesirables'.
Those evil Republicans! Except, wait... wasn't it the Clinton Administration that launched a 3-year criminal investigation of Phil Zimmerman in 1993?
And wasn't that the same President who championed the Clipper chip, so the government would have the keys it needed to decrypt your phone calls?First and foremost, I'm a long time fan of PRZ... he's a hero among heros and should be credited as such.
Secondly, am I missing the hardware solutions for things like this? I've been a Vonage customer for some time, and while Vonage seems to take a blind eye to security (just ask them they'll tell you they are happy to work with the local and federal law enforcement agencies). When will I be able to use a handheld, encrypted VOIP device, and be sure that its secure?
think before you write, it'll save me moderator points.
Sorry but the idea that we all have to give up our freedom to be safe and free is just beyond stupid.
Thanks to eating disorders most chicks are reasonably good looking these days.
Imagine, a Republican administration using laws created by Bill Clinton's Democrat administration to monitor international phone calls of known terrorists.
Incredibly suspicious.
"Is the government enforcing a law that terrifying to you?"
Depends on the law. A substantial fraction of the recent ones are, in fact, pretty terrifying.
Why yes, I AM a rocket scientist!
Although the US has ended most of their export controls for crypto software, there are still some reasonable export controls in place, namely, to prevent the software from being exported to a few embargoed nations, such as North Korea, Iran, Libya, Syria, and Sudan. And for commercial encryption software that you actually pay for (not this free public beta), there are now requirements to check customers against government watch lists as well, which is something that companies such as PGP comply with these days. PGP Corp volunteered to host the public beta software on their server, with all the appropriate checks in place. That's why you have to register, to make sure you are not in an embargoed country, to keep me in compliance with U.S. export laws. Been there, done that. -Philip Zimmermann
Yeah they pretty much hand you the lists
/ delimit/index.shtml
http://www.treas.gov/offices/enforcement/ofac/sdn
Of course some of the entries are obviously from gathered inteliigence. I recall having to block anyone called "The Chess Player" from signing up. Unfortunately most websites don't gather date of birth, and when you do name only matching you catch a lot of innocent people - who are usually mightily pissed off about having to call EVERY SINGLE SITE that they try to sign up for.
The other big caveat is what you're supposed to do when you find a match - it's virtually impossible to stop them just changing their details and signing up again.
The Scarfo case. An accused mobster was using PGP, the FBI got a warrant, and tapped his computer with what sounds like a hardware keylogger.
From TFL:
Your going to a lot of trouble for just about no gain at all. This system can and probably does not in any substantive way impede anyone from a blacklisted nation from downloading the software. It only alienates people who are casually interested, i.e. your main user base.
I can understand your situation. You're in a country where it is effectively illegal to publish online any piece of software that contains even the most basic of encryption algorithims. The situation is of course ludacrious, as such algorithims have long been in the public domain, at least as far as knowladge is concerned.
The purpose of the law of course, is not to prevent the export of encryption to forgein countries. They already have these algorithims. Nor is it to prevent access to the terrorist boegyman. They either don't use it, or can easily get access to encryption.
No. The purpose of the law is to hang the sword of damocles over the head of anyone who wants to bring safe and secure communication to the masses. The government doesn't want the masses to encrypt their traffic, and they use this law to impede the distrobution of your software and others like it.
I think you need to give up the ghost here. If your government wants to shut you down. they will, regardless of how much you try to comply with export restrictions it will never be good enough. I think you need to stop playing by rules where you can't possibly win and simply go all out in an effort to get as many people using zfone as possible. All out. Unrestricted downloads, ease of use, ad campaign, browser plugins, whatever. Just do anything to get as many people using encrypted VOIP as you possibly can, because until then, your software will remain one the fringe where it's easier to shut down.
If everyone and the Senator's daughter is using secure VOIP, it's only then that people will realise they have somthing to lose, and you'll have a better defense. Before that everyone who uses SVOIP is "aiding terrorism", not protecting people's privacy. Until Aunt Tillie is using your software, this angle can and will be played. You should do everything to get her onside ASAP.
May the Maths Be with you!
...inherently distrust government no matter who is in power. Libertarians always view the government as untrustworthy, expansive, over-reaching, and inefficient by it's very nature. Thus the idea is to limit the government to its most basic and fundamental operations as set forth in the Constitution by our founding fathers.
The lines between the Dems and the Reps here in the US have blurred to the point that distinction is negligible.
Libertas in infinitum