Big Brother Wants Into VoIP At Any Cost

wallaby fly-half writes "An amendment to the CALEA law would make it easier for the government to monitor calls made over VoIP and even temporarily store some packet traffic. Ars Technica reports that the 'bill will put the technology in place to buffer packet streams, and places the job of filtering those streams under government control. We know from the NSA warrantless wiretapping program that the government is not limiting itself to access to under court orders, and the CALEA bill must be considered in light of the capacity it generates.'"

So is it time for another encryption system?

[i_want_you_to_throw_]

Remember Clipper chip? Yeah ole Sammy wanted in then too but they changed their tactics by using patent law when that initiative failed.

For those who don't know, the DES patent is owned by N.S.A. so when you see that Verizon's latest gadget that is triple DES encrypted don't be impressed, Uncle Sammy can get right in.

Seems like what we need at this point is OSS encryption that can't be so easily cracked by N.S.A. It's just a matter of time before Skype/Vonage, etc are required to change their encryption to DES or something that the government can read.

It used to be that the government had better technology always, not so true anymore. So /. geeks, create a solution.

SpeakFreely

[really?]

I could be wrong, but I am not aware of any vulnerabilities in SpeakFreely - http://www.speakfreely.org./ So, if you are worried about people intercepting your calls .. there are solutions. And, yes, it does run on Linux, or, if not, the source is there ...

AES can be trusted, but Skype's PK cannot

[Sloppy]

Skype is encrypted with 256-bit AES which is pretty darn good. However, does one think that the NSA, CIA, FBI, etc.. cannot break the encryption?

Yes, I think they can't break AES256. But I also think they can break the PK that is used to transfer the AES session key. Why? Because Skype is not intended to be secure for the users. Skype uses Skype as the trusted introducer for the PK negotiation. If the FBI tells Skype to implement a MitM attack, then Skype can do it.

The proper way to implement VoIP or any other internet communcation, is to let people be their own PK introducers/certifiers. And let them use OTPs in situations where it is feasible, which just happens to be pretty common (e.g. your phone and your wife's phone probably spend several hours in the same room together, every night).

Phone should be an app, not a service

[Sloppy]

The reason our phones are vulnerable to these kinds of attacks, is that we view phone service as .. um .. well, I just used the word: service. You use a "service provider's" network. I'm not talking about your ISP.

But with IP, you don't need to use a "phone service provider" except to interface with POTS. Have your phone contact my jabber server to start a conversation, and we'll use PGP on top of that. Now there isn't any "provider" to regulate and force to implement MitM attacks. They would have no choice but to regulate the users themselves, and we've seen how great that works with the War on Drugs. I guess it'll be another excuse to throw people in jail, and another way to make good people live in fear of their government, but one thing you can be sure of: it won't work for anything else. It won't prevent the behavior that they're trying to suppress.

Death to "service providers." We just need open phone hardware (that we can install our own application on) and a network connection.