Slashdot Mirror
Zimmermann, Encrypted VoIP, and Uncle Sam
An anonymous reader noted that Phillip Zimmermann and his VoIP encryption software are the subject of a NY Times article today. The article touches on the FCC, privacy, and related issues. Given all the suspicious behavior of the Bush Administration relating to wiretaps and phone records, this sort of thing is all the more important to be very aware of.
Really, I mean why do people wear clothes for that matter? I mean we are all made of meat covered in skin. We all know what human bodies look like. Everyone should just go naked from now on. Who needs privacy when you have nothing to hide?
For the same reason I keep the curtains drawn in my bedroom windows at night, esp. when the s/o gets frisky.
Just because me and my s/o's bedroom activities are perfectly legal doesn't mean I want everyone else (let alone the government) monitoring it.
Quo usque tandem abutere, Nimbus, patientia nostra?
and all that relates to national security. CALEA, the thing that allows wiretaps under warrant, is in place for all previous communications methods, including paging. What government wants is CALEA type access to new communications types. HOWEVER: Neither the constitution, any ammendment, any subsequent law, or even terms of use, specify that your communications have to be made in an open unenctrypted manner. In fact, in the US, if there is no evidence, there is no crime, and no way to know the criminal. Its all part of that innocent until proven guilty mindset.
... at least not yet.
If all your telephone calls, emails, etc. are encrypted by you and the other intended party or parties involved, there simply is nothing the government can do about it. With probable cause, they can 'try' to compel you to divulge the encryption key, but then you don't have to testify against yourself in the U.S.
Neither can the government, church, or any other person(s) compel you to divulge your thoughts, or secrets.
Its time for the encryption phones to start appearing on the market.
This little problem will quickly spiral out of control until those that want to snoop on others have more work to do than they ever imagined. The basic problem here is that the people they say they want to spy on are not using the communication systems the same way as everyone else, and their communications are encrypted, or hidden in ways the government cannot prevent, nor detect with the laws and practices that they wish to install.
Wiretapping on the scales being talked about recently are stupid, prohibitively stupid, and will be nearly 100% ineffectual.
They can't find Bin Laden with all the military might, but somehow they are going to catch him making a phone call? uh, yeah right.... of course, its the little people that lead to the big ones, but they have been spying on the little ones all along... still haven't caught him.
Support NYCountryLawyer RIAA vs People
Phil took an open source VOIP client and added encryption to it. By his own admission, he doesn't know much about how to make VOIP work well, codecs and all that. But his encryption is very clever. It uses Diffie-Helman to generate a per-session key, which is stored in a completely volitile way. i.e. it is destroyed after the call terminates and cannot be retrieved (stored in memory which is then overwritten). So, even if a man (or government) in the middle records the RTP stream and then gets a search warrant to get the key to decrypt the call, it won't be there.
Look for his techniques for peer to peer key setup, which again is very clever and well thought out, to be used in a variety of new ways. I expect you will see a bit-t client soon that can also generate this one time session key between peers. It will be much more computationally intense than what you see bit-t clients like Azureus do to the CPU now, but no more than using S/FTP. Well, maybe more, because of the number of keys being setup and destroyed and the memory allocation needed in a swarm situation. But for peer to peer calls, it's strong and I expect that Phil, who was nearly bankrupted by Uncle Sam, trying to defend himself, will again be the NSA crosshairs. The guy is just a warrior, what can you say? Guys like him and Klein who blew the whistle on AT&T are the ones fighting for privacy and against a police state. And they will not be treated kindly by this administration.
From an old .sig quote:
Considering that most of the parents of new postdoctorate-level mathematicians probably live overseas nowadays (and whose conversations are therefore legal to record), maybe the old .sig quote was always more true than funny.
I wish Cryptome would not redistribute my Zfone software. This morning I had to upload a new version due to a last minute mistake we made before the release, and Cryptome probably got the uncorrected version. This is beta software in flux, rapidly changing with new updates likely, especially shortly after it hits when we discover early problems. Further, I've just added critical warnngs to my web site about how to do the installation for Windows, and if someone grabs the software and posts it somewhere else, it will lack those warnings. There are good reasons why I want to maintain control of the distribution, especially during the initial public beta. --Philip Zimmermann (prz@mit.edu)
Terrorists are already using encryption to protect their privacy. Don't you think you should as well?
If he's still using the system he presented last summer at BlackHat, he's actually doing something rather clever:
The system does a standard Diffie-Hellman key exchange between the two softphones, and hashes that exchange to words that each caller is supposed to read to the other (you see what they're supposed to say, and they see what you're supposed to say). So, unless the man-in-the-middle can also impersonate your voice, MITM'ing the connection is very difficult.
Also, the hashes used to generate that vocal exchange are stored for each destination you call for every call, and fed into the new hash generation. So, even if you skip a round of comparing the hashes, if you do it for a later call & it works, you can be assured that the *previous* call was also clean.
> By utilizing speech-recognition software and an ever growing list of suspect words and phrases,
> they will be able to keep tabs on the unruly U.S. population, weeding out terrorists,
> political dissidents, environmentalists, Democrats, and other 'undesirables'.
Those evil Republicans! Except, wait... wasn't it the Clinton Administration that launched a 3-year criminal investigation of Phil Zimmerman in 1993?
And wasn't that the same President who championed the Clipper chip, so the government would have the keys it needed to decrypt your phone calls?I'm going to vote for the candidate that likes to "shake things up."
Good luck. One such politician (before he died in a plane crash) was Paul Wellstone. A little too far left for my tastes, but a nice guy from my conversations with him.
He went in all fire and zeal, and was basically told by the party leadership to STFU and play ball or he will get NO SUPPORT on ANYTHING - including basic normal federal funding for highway projects and such.
The system is broken - I don't care WHO you elect.
Although the US has ended most of their export controls for crypto software, there are still some reasonable export controls in place, namely, to prevent the software from being exported to a few embargoed nations, such as North Korea, Iran, Libya, Syria, and Sudan. And for commercial encryption software that you actually pay for (not this free public beta), there are now requirements to check customers against government watch lists as well, which is something that companies such as PGP comply with these days. PGP Corp volunteered to host the public beta software on their server, with all the appropriate checks in place. That's why you have to register, to make sure you are not in an embargoed country, to keep me in compliance with U.S. export laws. Been there, done that. -Philip Zimmermann