Compressed VoIP Calls Vulnerable To Bugging

holy_calamity writes "Security researchers at Johns Hopkins report that a variable bit-rate compression scheme being rolled out on VoIP systems leaves encrypted calls vulnerable to bugging. Simpler syllables are squeezed into smaller data packets, with more complex ones taking up more space; the researchers built software that uses this to spot phrases of interest in encrypted calls simply by measuring packet size."

Easy Solution:

[dintech]

Easy Solution. Music in the background.

Re:Easy Solution:

Better solution: Fix the stupid, broken protocol.

For instance, the concept of RSA blinding had to be invented because people discovered that certain bits of the SSL private key can be determined simply by measuring the time it takes to encode messages. This was due to some implementation details inside SSLeay where it switched from one multiplication algorithm to a different one depending on the size of certain numbers in the algorithm.

OAEP had to be invented for similar reasons

"Music in the background" is not a security solution. In fact, that's a freaking joke.

Re:Easy Solution:

[Daimanta]

""Music in the background" is not a security solution. In fact, that's a freaking joke."

Yes, but a joke you can dance on.

Re:Easy Solution:

[ehrichweiss]

VOIP: It's got a good beat and I can bug out to it.

Re:Easy Solution:

[martin_henry]

Awesome....a VOIP dance party.

Re:Easy Solution:

[gstoddart]

Easy Solution. Music in the background.

Oh, sure, give the RIAA reason to get involved in encrypted phone calls.

They'll try to make sure you're not using unlicensed music to mask your conversations. We'll be seeing John Doe subpoenas to get access to what music you were playing. :-P

I'm only half joking.

Cheers

Re:Easy Solution:

[billcopc]

Easier solution: don't use voice.

I've always found VoIP rather humorous, since you're taking a digital channel, and shoving voice through it - you know, like the reverse of a dial-up modem.

If you're dealing with sensitive stuff that you don't want eavesdropped, do it in a secure IM session or encrypted email. Talk is overrated!

Re:Easy Solution:

Easier solution... Southern accents. I'd luv ta seeyum deecifer r tawlkin.

Re:Easy Solution:

[jonaskoelker]

OAEP had to be invented for similar reasons Not true: OAEP fixes problems with the math, which by its declarative nature is timing-independent.

The problem fixed by OAEP is this: suppose you want to a message from a small set (say, a single bit, or "attack" versus "retreat"); assume for convenience the set of messages is contained in [0, n-1], where n = pq is part of the RSA public key.

If you just do plain RSA encryption (c = m^e % n), then the eavesdropper can encrypt all the values from the small set in almost no time, and see which of the encryptions match the ciphertext. You Have Been Decrypted. You Have Lost. Have A Nice Day.

What OAEP does: instead of encrypting just m, you pad m with some zeroes z and some random bits r. You then do the following:

left = (m and z) xor hash1(r)
right = hash2(left) xor r
return encrypt(left and right)

"and" is the concatenation operator, xor is bitwise; the difference between the hashes is the input/output sizes. Ideally the implement a random oracle.

This fixes a math problem, not a side-channel attack. How that relates to timing attacks on SSL I can't work out. See also the wikipedia article on OAEP.

Re:Easy Solution:

[A440Hz]

Nope. Typical vocoders for VoIP (like G.729 and G.723.1) are really pretty bad at encoding music. They're not nearly as bad as the first LPC vocoders, which assum e a monophonic (but harmonically complex) signal, but they still are optimized for speech, not music.

Want to know how it sounds? Just listen to background music on your cell. Yuck.

I'm assuming that VBR implies some sort of compressed vocoder other than G.711 or G.722, which are not variable packet size.

I may be wrong, though. One could do G.711 with silence detection and during silence periods, send noise description packets that are much smaller than the voiced packets. However, that would mean just two packet sizes, really.

Re:Easy Solution:

You're right, of course. My brain is too full with acronyms swarming around today.

Re:Easy Solution:

[lpq]

The music in the background isn't so ridiculous...though maybe it would be 'random' noise generated by the sending phone that is based on a key-negotiation sent at call start & maybe changed periodically throughout the call. But it may not be possible to remove the "scarcity" of information in the data-stream (all the small words have been compressed, so few bits are used) from the real-time nature of VoIP -- and the fact that people might not be saying much, using "little words", or whatever. It seems some sort of 'background' noise would need to be generated to keep the resulting datastream compressed at a *constant* rate. But if the compression is variable based on input -- of course the low-bit rate of the conversation's data-streams would be an indicator of the complexity of the information that's being encoded.

Do what my grandparents do

[phorm]

Anyone wanting to avoid detection could just follow what my German-speaking grandparents do when they don't want us kids listening into the conversation: randomly switch languages on different topics (though I think that this is sometimes also because some concepts are also easier to portray in a given language).

Random switches between languages would probably confuse the heck out of filters guessing compressed data. That or you could just learn Russian... I don't think they *have* any simple-syllable words in Russian :-)

Re:Do what my grandparents do

[smitty97]

That or you could just learn Russian... I don't think they *have* any simple-syllable words in Russian :-) In Soviet Russia, VoIP bugs you!

Re:Do what my grandparents do

[KevMar]

Get several audio clips of different presidential/dictator speaches in different languages and hold lots of extra calls just to play those back and forth.

Not only would you be switching languages, so would the filler voices. They would need even more people to sort it out.

Re:Do what my grandparents do

[markana]

>That or you could just learn Russian... I don't think they *have* any simple-syllable words in Russian :-)

Da!

Re:Do what my grandparents do

[mlwmohawk]

Just speak arabic!! We already know the FBI and CIA don't have enough translators.

Re:Do what my grandparents do

[JeffAMcGee]

Going from one language to two would only make the process of breaking the message a bit more complex, and by that I mean precisely one bit more complex, because there would be about twice as many phrases to look for. This is not a solution. The solution is to not use variable bit rate compression if security is important.

Re:Do what my grandparents do

[hummassa]

That or you could just learn Russian... Which would give you an advantage, if you ever have to pilot a bleeding-edge mind-controlled Russian jet fighter.

Re:Do what my grandparents do

Da!

Re:Do what my grandparents do

[MindStalker]

Depends upon how you define "translators." One of my best friends just got out of the Army, he is a really good linguist and knows several langauges, but he flunked out of the Arabic program because its not just hard to learn, you have to learn hundreds of dialects even for Iraq. He could understand it well enough but to be able to go out on the street and translate you have to be certain you won't accidentally offend with a mistranslation. Apparently virtual no non native arabic speakers ever make it through this program. Anyways he go reassigned to listen to and interpret radio broadcast and other incoming information. Not officially a translator. The point to this story?? I don't know..

Re:Do what my grandparents do

[SBacks]

If you're going to go through all this trouble, you might as well start from scratch. Make a language only you and people you wish to secretly communicate with know.

Re:Do what my grandparents do

[Anarke_Incarnate]

Nah, Esperanto for the win :)

Re:Do what my grandparents do

[caluml]

I don't think they *have* any simple-syllable words in Russian :-) Da?

Re:Do what my grandparents do

[gnick]

If you're going to go through all this trouble, you might as well start from scratch. Make a language only you and people you wish to secretly communicate with know. Ix! Gorfat blutell pragmew ig jounty crein moxin fout. Im odin reax trelli poin zor trillo daster zub? Unt jo.

Re:Do what my grandparents do

[Samizdata]

I worked for a set of commodity trader brothers back in the 80's. One of them, who worked as their corporate attorney, was in a Club Fed for tax issues.

I saw more than one threat from the Bureau of Prisions warning them to stop using Latvian (their native tongue) during phone calls to the incarcerated.

Re:Do what my grandparents do

[mlwmohawk]

Latvian? That's funny.

Security through obscurity indeed.

Re:Do what my grandparents do

Da! Cheater! Acronyms don't count! 'Deoxyribonucleic acid' (aka 'Da'), is quote obviously _not_ a simple-syllable word.

Re:Do what my grandparents do

[wyohman]

Apparently virtual no non native arabic speakers ever make it through this program.

Not likely spanky. Were this true, the language school at Monterey would have to answer a lot of very tough questions. Like my wise grandfather used to say, "Believe half of what you see and none of what you hear."

Cheers.

Re:Do what my grandparents do

[SharkyTech]

It wouldn't be a matter of just having twice as many phrases, because a phrase in one language could be recognised as a completely different phrase in English. Your point also doesn't take into account mid-sentence language switches ie. simply substituting words into otherwise English sentences. Also, your point is not valid unless the people analysing the traffic have prior knowledge of which two languages would be spoken, and therefore the system would have to cover the most common languages (at least 8 I would think). When you take into account the two points I made above, as well as trying to implement the system with more than two languages, you end up with a ridiculously large number of possibilities, as well as too many false positives (from similar sentences in other languages and mixed sentences).

Re:Do what my grandparents do

Nyet!

Re:Do what my grandparents do

[mpe]

It wouldn't be a matter of just having twice as many phrases, because a phrase in one language could be recognised as a completely different phrase in English. Your point also doesn't take into account mid-sentence language switches ie. simply substituting words into otherwise English sentences. Also, your point is not valid unless the people analysing the traffic have prior knowledge of which two languages would be spoken, and therefore the system would have to cover the most common languages (at least 8 I would think).

It dosn't need to be a different "language", randomly using of jargon or slang, could have much the same effect. There's also the matter that a well though out code can be indistinguishable from "plain language". But has radically different semantics to the prople using it compared with any third party evesdropper.

Randomize the packets slightly

[BasharTeg]

I would think that a very slight randomization of the packets with filler would add a trivial amount of data to the packet and would tend to interfere with thier analysis. I'm sure after a certain point of added bytes and randomization, you would change their margin of error such that the process wasn't useful or effective anymore.

Re:Randomize the packets slightly

[pclminion]

Time/space attacks are well known. Somebody who actually, hmm, UNDERSTOOD cryptographic security would never have designed the protocol this way in the first place.

The people suggesting that we should just inject noise or background patterns are being ridiculous. Why sacrifice communication quality when there are BETTER ways to fix it? DO IT RIGHT.

Re:Randomize the packets slightly

[Creepy+Crawler]

---The people suggesting that we should just inject noise or background patterns are being ridiculous. Why sacrifice communication quality when there are BETTER ways to fix it? DO IT RIGHT.

Injecting "noise" makes sense for me. Why so?

We use a salt for our hashes, dont we? The "noise" would be the same thing. Consider this: during negotiation, we have chaotic noise formulas in which we propagate the variables so that each side knows the noise transform. We then add the noise after digitalization but before encryption. Then the other side knows the inverse formula, decrypts it, and subtracts the noise.

Given pseudo-random numbers for the chaotic noise formula, it would give different encrypted data for the same exact voice (if we used a mp3 to exactly play something). Effectively, a voice salt.

Re:Randomize the packets slightly

[pclminion]

Sure, but this sort of defeats the purpose of VBR, since the resulting audio stream is random and thus VBR can't really do it's "thing."

Re:Randomize the packets slightly

[pclminion]

Damn. I apologize for the apostrophe abuse.

Evasive, ummm, technology

[martyb]

FTFA

In tests on example conversations, the software correctly identified phrases with an average accuracy of about 50%. But that jumped to 90% for longer, more complicated words. Wright thinks these phrases may be the most important. "I think the attack is much more of a threat to calls with some sort of professional jargon where you have lots of big words that string together to make long, relatively predictable phrases," he says. "Informal conversational speech would be tougher because it's so much more random."

So, ummm, what we should do to, umm, well, protect ourselves from, ummm, yaknow, eavesdroppers, heh-heh, is well, make sure there's enough, ummmmmmm, yaknow, like extra noise, like, mixed in, dude.

Re:Evasive, ummm, technology

Accidentally modded you as "overrated" instead of "funny", posting comment to correct the mistake...

Re:Evasive, ummm, technology

Don't you have to be logged in to lose the mod points?

Re:Evasive, ummm, technology

[gstoddart]

So, ummm, what we should do to, umm, well, protect ourselves from, ummm, yaknow, eavesdroppers, heh-heh, is well, make sure there's enough, ummmmmmm, yaknow, like extra noise, like, mixed in, dude.

Oh my god, thats like, totally, like, a great idea, yaknow. I mean, like, they'll never figure out what we're, like, saying, yaknow?

Oryoucouldspeakreallyfastwithoutpausesbetweenwords. Thatwaythey'llneverknowwhatyousaid =)

Or. We. Could. All. Speak. Like. Shatner. Random. Long. Pauses. Genius.

Cheers

Re:Evasive, ummm, technology

[SBacks]

Yes, but you can click that little box that says "Post Anonymously" when you are logged in.

Re:Evasive, ummm, technology

Or. We. Could. All. Speak.
Like. Shatner. Random. Long.
Pauses. Genius.

You're missing one syllable in the middle line...

Re:Evasive, ummm, technology

[Lisandro]

Lumbergh? Is that you?

Re:Evasive, ummm, technology

[gstoddart]

You're missing one syllable in the middle line...

He doesn't have a full pause between every syllable. Sometimes, he'll put a couple of words together in one go as well "Spock. How. Areweto. Know. Whattodo?" or "Nurse. Chapel. Let's. Gotomyroom". ;-)

Cheers

Re:Evasive, ummm, technology

[dmsuperman]

You sir, are an absolute genius.

Re:Evasive, ummm, technology

[CodeBuster]

Brilliant!

It's easy to encrypt your conversations

[muellerr1]

Just st-st-stuh-stutter when you talk. And use a lot of, uh, you know, um, non-word sounds between, uh, like, your phrases. And don't use any complexificated words without Bushifying them first. Better yet, only speak in Klingon.

Or maybe you shouldn't say anything on VoIP that you don't want anyone else to hear.

Re:It's easy to encrypt your conversations

[Ephemeriis]

Or maybe you shouldn't say anything on VoIP that you don't want anyone else to hear.

A couple honest questions...

1) Why do I see so much about wiretapping/bugging VoIP lately? I guess I've always assumed that VoIP was just as vulnerable to bugging as POTS - maybe even more so. Was I wrong? Was VoIP previously un-buggable and this just recently changed? Or is it just because VoIP is the new, cool thing?

2) Why would anyone think that compressed VoIP would be any more or less secure than uncompressed? As we can see, there's still patterns to be found. Wouldn't it make more sense to encrypt the data if you were worried about privacy? And since it's IP traffic, shouldn't encrypting it be relatively easy? Wouldn't a decent VPN pretty much take care of it?

Re:It's easy to encrypt your conversations

the problem is it _is_ encrypted

Re:It's easy to encrypt your conversations

[mmkkbb]

From the article summary above: "a variable bit-rate compression scheme being rolled out on VoIP systems leaves encrypted calls vulnerable to bugging" and "spot phrases of interest in encrypted calls simply by measuring packet size."

Emphasis mine.

Re:It's easy to encrypt your conversations

[gstoddart]

Or maybe you shouldn't say anything on VoIP that you don't want anyone else to hear.

Well, then what's the point in saying it at all then? ;-)

Oh, you mean someone other than the person you're talking to. My bad. :-P

Cheers

Re:It's easy to encrypt your conversations

Problem solved - just speak nonsensical jibber jabber, all the time, with music in the background, and occasionally shoot off a gun at your workstation, just to be sure.

Re:It's easy to encrypt your conversations

[Sloppy]

Or is it just because VoIP is the new, cool thing?

Sort of. VoIP is an opportunity to correct the deficiencies in POTS, so there are expectations that it should.

Re:It's easy to encrypt your conversations

Mr. T is that you?

Here's a thought

[mhall119]

Encrypt the data first, then compress it.

Re:Here's a thought

[pclminion]

Hahaha! Compressing encrypted data?! My sides are splitting!

In case you can't figure it out: good encryption makes data look completely random. Do you know of any algorithms which compress PURELY RANDOM data? I sure as hell don't.

Re:Here's a thought

Why don't you try compressing some well encrypted data and let us know how it works out?

Re:Here's a thought

[kbonin]

The output of any decent encryption algorithm should be indistinguishable from random noise for any non-trivial size sample, which breaks compression. In practice, most compressions of encrypted data are slightly larger than the original, as they generally are comprised of a header stating "use this directly", then the original data.

Re:Here's a thought

[corsec67]

Except that might not help here.
The issue is that VOIP is an application that needs low latency. You have to send the data you have within (.1 seconds? something small) a specific amount of time, and can't wait for the buffer to fill before sending it, compressed, encrypted or not. Thus you get packets that are different sizes.

This isn't sending the whole conversation at once, this is a constant stream of data with specific requirements on latency.

A solution would be to make each packet the same size by padding it with random data that the other side will discard. But that eliminates some of the benefit of compression.

Maybe just use a fixed bit rate, as opposed to a VBR encoding?

Re:Here's a thought

I just threw something together in Python that will compress encrypted data at a near 1:1 ratio.

Re:Here's a thought

[your_mother_sews_soc]

Some of the codecs, at least those that were developed a few years back when internet telephony first became legitimized, compress first for a good reason. They model their encoding on the "physiological" aspects of speech. The audio is analyzed for things like the noise component and formants, and simplified considerably. It is this analysis, I'm guessing, that is the "compression."

Re:Here's a thought

What idiot modded this up? Encrypted data is (pretty much by definition) uncompressable. Encryption works by hiding information and removing redundancy. Compression works by identifying and removing redundancy. The two concepts simply CANNOT BE APPLIED IN THAT ORDER. Go back to school -- both the OP, and whatever moron was moderating.

"Just stutter when you talk!" "Just play music in the background!" "Just switch languages in mid-sentence!" God help us. You must be the idiots who designed this protocol in the first place. The problem is that the spacetime information of the conversation was NOT TAKEN INTO ACCOUNT when the protocol was designed. This, in turn, means it was designed by a crew of fools.

Voice data just CAN'T be securely encrypted. That's because the spacetime information HAS to be there because we inherently interpret voice data according to these characteristics. Either you reveal this information in the stream, or you must increase the latency to the point that communication is impossible. If you want security, don't speak, WRITE, and use a cryptosystem that isn't a piece of shit.

Re:Here's a thought

[blueg3]

There's a reason for that. With a good encryption mechanism, the ciphertext will have maximum entropy (one bit of entropy per bit of ciphertext). Random data also has maximum entropy.

The point of compression is to take data that's expressed in a way that doesn't maximize entropy and reexpress it in a way that is higher-entropy (more information per bit). As such, maximum-entropy data is, by its nature, incompressible.

Re:Here's a thought

[rml1997]

GSM already performs some pretty nifty compression involving regenerating missing packets. By enhancing this, it should be possible to just send the encrypted message text and a voice profile and have the receiving phone talk in your voice. I'll get right on it... Actually, part of the problem with the encryption could be the GSM (or other codec) compression itself. It looks for similar packets and tells the receiver to use a previous packet instead of sending the new one. This would obviously be a much shorter transmission. Complex syllables are more likely to be more different than simpler ones, so that the codec decides to encode and send the new data. Thus another solution would be to improve the codec to recognise and reuse previously sent data better for longer syllables, or maybe to resend old data more often than neccesary and at random. Before doing this, I'd like to see just how much of the data can be deciphered using this technique. I bet its not much.

Re:Here's a thought

Yeah, well, I can compress encrypted data at a ratio of 0:x where x > 0. This method also makes the encrypted data additionally secure, and requires very little code to implement.

Re:Here's a thought

[oodaloop]

Voice data just CAN'T be securely encrypted. Really? I have a Top Secret phone on my desk, and I can assure you it's pretty secure. (And no, it's not a shoe.)

Re:Here's a thought

[wolrahnaes]

Voice data just CAN'T be securely encrypted. That's because the spacetime information HAS to be there because we inherently interpret voice data according to these characteristics. Either you reveal this information in the stream, or you must increase the latency to the point that communication is impossible. If you want security, don't speak, WRITE, and use a cryptosystem that isn't a piece of shit.

I disagree. The problem pointed at in this article can be easily solved on many SIP endpoints. I spend all day working on VoIP phones from vendors such as Linksys, Polycom, Aastra, Cisco, and if I really have to snom. Most of these have an option where it'll just send blank full bitrate audio rather than the usual "put silence here" instructions on G.711 calls. In fact that is the default behavior on some, since it makes the latency a bit more predictable to have a constant-rate data stream. If you want to use a VBR codec, of course this is a problem, but don't act like it's impossible or even hard to solve. If you are concerned enough to encrypt your conversations, use a CBR codec. 64 kbit/sec is not hard to free up.

Re:Here's a thought

[pclminion]

I bet you that phone is not packet based, not compressed, and runs over a physically secure line. BIG fucking difference.

Re:Here's a thought

[Quattro+Vezina]

Wow, I bet you're a lot of fun at parties.

Re:Here's a thought

[mhall119]

It's funny, because if I take any random file, make 10 copies of it, encrypt all 10 with the same key, then compress them all together, I actually do get some amount of compression.

Unless you plan on not duplicating sounds or sound sequences throughout your conversation, or using really big packets, chances are that you'll be repeating some of the same chunks of data, which will result in the same chucks of encrypted data, which would allow for compression. A generously lossy encoding of the original data could make it even more likely to get duplicate data chunks.

Re:Here's a thought

Do you know of any algorithms which compress PURELY RANDOM data? I sure as hell don't.

Of course they will compress it. Even purely random data will have compressible patterns. Take the simple case of purely random coin flipping:

If you flip your coin a million times, you are going to have long sequences of head-head-head-head-head-head-head-head-head-head and tail-tail-tail-tail-tail-tail-tail-tail-tail-tail.

You aren't going to get enormous compression ratios, but zlib, gzip and other algorithms will result in smaller amounts of data.

Re:Here's a thought

[gstoddart]

In case you can't figure it out: good encryption makes data look completely random. Do you know of any algorithms which compress PURELY RANDOM data? I sure as hell don't.

Sure, drop every other byte. It'll be half as big. ;-)

Cheers

Re:Here's a thought

[Quattro+Vezina]

I love that you put "and if I really have to" before you mentioned Snom :D

Their phones are a pain in the arse to configure. You pretty much have to use their web interface. Not to mention the buttons require so much effort to push, you're pretty much guaranteed to typo anything you try to enter. Bleh.

On the other hand, I love working with Cisco IP Phones and Avaya one-X 96xx phones. The Cisco IP Phone 7970 is particularly awesome.

Polycom and Aastra phones look pretty sweet, but I've not had much of a chance to play with them.

Re:Here's a thought

The solution is simple then: Compress first, and THEN encrypt. :)

Re:Here's a thought

[GuldKalle]

But how about compressing the data before encryption?

Re:Here's a thought

[GuldKalle]

Oops, I didn't see the GP, he was modded down. Nevermind what I said

Re:Here's a thought

[cstdenis]

Obviously you compress first then encrypt the compressed data not the other way around.

Re:Here's a thought

Even purely random data will have compressible patterns. No. They won't. Information theory FTW.

Re:Here's a thought

[gnick]

Obviously you compress first then encrypt the compressed data not the other way around. That's what they're doing now. That's why checking packet size is yielding exploitable information. Are you trying to be funny or do you really not grasp the topic here?

Re:Here's a thought

Sure it can be encrypted. Compress the audio, pad, then encrypt.

You don't have a clue.

Re:Here's a thought

[mstahl]

Of course you get some compression. You probably get a file that's ever-so-slightly bigger than just one of the encrypted files. The encrypted files—assuming pretty effective encryption—have close to their maximum entropy (ideal encryption, like a well-chosen one-time-pad, would have entropy equivalent to the length of the message in bytes, making it indistinguishable from random data). Repeating them reduces the overall entropy of the message as with each identical packet no additional information is conveyed, so the whole message would have entropy equivalent to the length of one message.

VoIP's voice transfer protocol (RTP? I forget the acronym) sends the packets in order though as they come. To compress a bunch of repeated sounds together would introduce a lot of lag into the transmission, because the receiving end would need to gather the packets in compressed groups. Then, they'd all arrive at once and you'd hear little chunks of conversation each time that happened, but there would be more lag the more packets you compressed together.

Re:Here's a thought

[TooMuchToDo]

I wish IP phones would, by default, stream the full audio instead of "put silence here". I understand you would be using more bandwidth, but the "comfort noise" to know the line is still up an running (when it's silent, you sometimes ask the person if they're still there) is a nice thing.

Re:Here's a thought

[mhall119]

The two ends could build an map, where instead of transmitting a duplicate chunk you just send "It's the same as chunk #123". Of course that table would get big very fast, so you'd either need lots of memory or trim the index every so often, so that only the most commonly used chunks stay in memory.

Re:Here's a thought

[rantingkitten]

haha, what? You like Cisco phones over the others? Ciscos are a pain and a half to deal with. Just getting SIP firmware loaded on them is an undertaking that never, ever goes according to Cisco's documentation, and only certain versions are upgradable to certain other versions, but not the ones that are in the documents, and so on.

To configure the damn thing you either have to set up a tftp server with the config files, and then pray that it works (because it won't half the time), or enter SIP information into it manually like you're sending a text message, because unlike every other consumer-level phone on the market that I've ever worked with, Ciscos doesn't have any kind of web interface. Which means that once it's configured, changing anything -- even, say, the time -- requires you to poke at the keypad as you unlock it several different times, scroll through interminable lists of poorly-documented options, some of which will be inexplicably grayed out for no reason...

On top of all that, they're ugly, clunky devices, uncomfortable to use for any length of time, and have horrendous speakers and microphones that sound like shit. I cannot find enough bad things to say about Cisco phones. They are designed by engineers, for engineers, and Cisco really needs to stop pretending they can make consumer-level devices. Leave that to their Linksys division, whose SPA series phones, while not perfect, are orders of magnitude more reliable and easy to use than those godawful Cisco deskweights.

Polycoms are okay, even if they do a lot of stupid things. You will learn to hate Aastras if you ever have to deal with more than one of them behind certain NAT implementations.

End of rant..

Re:Here's a thought

...Then apply ROT-13

Re:Here's a thought

[Quattro+Vezina]

To be fair, I've only ever dealt with Cisco phones in a Skinny environment. I've no experience with Cisco SIP (which I understand is a highly non-standard SIP implementation...).

Never had any TFTP issues--usually CCM takes care of that, and we use a proxy on top of that (not Cisco Phone Proxy). I'm not a big fan of web interfaces, and I like Cisco's phone interface. That big screen is really helpful. Yeah, it'd probably suck to try and configure something small like a 7911 using the phone keypad, but luckily I've never had to configure them. I mostly deal with the larger phones: mostly 7940/7941 and 7960/7961 models, with a bit of 7970 use.

No comfort issues either. I have a 7940 at my desk, and I usually use it in lieu of my cell phone. I can't understand much when it's on speakerphone, but all my co-workers have no problems with it, so it's probably just my hearing (and I know my hearing isn't very good).

Re:Here's a thought

[Quattro+Vezina]

Not only that, but media silence can be considered a media anomaly, and possible evidence of malicious use. If you're just sending signalling messages with no media, that can trip certain security features. You want media going through at all times, even if it's blank.

Re:Here's a thought

[rantingkitten]

Their SIP implementation is a horrible mishmash of nonstandard garbage. :) The other annoying thing, at least for someone like me who works in a SIP environment, is that Cisco's SIP stack is basically an afterthought. It'll function as a bare-bones SIP client but it won't do all the fancy crap people buy Skinny Cisco systems for, and then the users get all pissy, and then they whine at me, and then I die a little inside.

I am not a huge fan of web interfaces (hello, commandline!) but they're leaps and bounds better than tapping keys five times to make a lowercase J or whatever. I too deal primarily with 7940s and 60s, but they're such a pain.

The environment you're in probably mitigates the tftp issues, but having to specify an external tftp server and letting the phone handle it by itself is maddeningly inconsistent. On top of that, tftp is just a dumb protocol to use in many situations, and there should be other available means to do this.

Likewise for the firmware. On a Linksys phone for example, you download an executable, point it at the phone's IP, and it works. Most other phones have similarly easy methods. On a Cisco, I've never, ever had one successfully pull firmware images from a remote server, so if you're not on site then you have to walk the user through setting up a local tftp server and all the headaches that go along with that. It's just an unnecessary complication imposed by Cisco who can't seem to get it through their heads that not everyone is an engineer. (And it will still fail 50% of the time because the phone requests things very differently from what the documentation claims.)

Re:Here's a thought

[runexe]

Actually that is the point of some of the 'put silence here': it tells the local client to add comfort noise to let the user know the connection is still working. Of course the cost of this is allow the sort of traffic analysis TFA refers to.

Re:Here's a thought

[marcansoft]

Even a one bit change in the input totally changes the output of data after encryption (with secure encryption algorithms anyway). So unless you feed a deterministic voice synthesizer to the VoIP compressor and adjust the timing to exactly match that of the packets, no, you aren't going to get any compressible chunks in the output data after encryption. At all. Besides, if the encryption is any good it'll use a random IV for every packet, because encrypting the same plaintext to the same ciphertext itself carries a whole load of security problems. Your file encryption program sucks.

Re:Here's a thought

[pclminion]

The two ends could build an map, where instead of transmitting a duplicate chunk you just send "It's the same as chunk #123".

Great -- now, if an attacker manages to decrypt "chunk #123" they now know the contents of ALL chunks labelled "chunk #123." I can't see how that's good.

Re:Here's a thought

(And no, it's not a shoe.) Damn. My worldview is shattered, again!

Re:Here's a thought

[oodaloop]

Yup, you hit the nail on the head with that one, land lines all the way. Especially the ones on ship.

Re:Here's a thought

[blueg3]

Even if all three were true, it's still voice data. If you recall, you claimed it's impossible to securely encrypt "voice data".

The third, running over a physically secure line, is certainly not always the case. High-security phones encrypt data for transmission over radio waves for communication to points that landlines don't cover (ships, teams in the field).

Re:Here's a thought

[wolrahnaes]

As runexe said, most endpoints will put in some faint static instead of true silence when they receive a silence signal. This is the default as far as I've seen on all the brands I mentioned before. The only time I've not heard the fake static is on a Polycom phone using the G.722 "HD Voice" codec where there is so little static on the actual call audio that fake static would be strange. I have yet to experience a Cisco HD Voice phone, so I don't know if they do the same, but since the technology is licensed from Polycom to my knowledge I'd imagine it's implemented the same way.

Bad science

[DrYak]

First, the article mixes things :
vowels actually are simpler than consonant to compress (because of spectral complexity - consonant use much more different frequencies. They are mostly noises and have a more "random"-like wave form making them harder to compress). They got it completely in reverse.

Then TFA doens't show a method to magically guess was is being said over a crypted channel only by looking at the bitrates, it only says that it finds some predetermined pattern in a given set of samples to test against. The whole thing would only be able to answer to some very simple questions like "did the words XYZ appear in the conversation ? or did ABC appear in the conversation ?" - with a rather bad success rate if those words are long and complex enough - which hardly makes it enough to obtain personal information or otherwise efficiently spy on someone.

Then the whole system has a lot of short comings :
- As said before it assumes that the spy know exactly that some phrase has to be said - if the spy doesn't guess exactly what words he must search for the attack fails (the users may be speaking in a foreign language to begin with).
- It assumes that the speech-generator-made needle they are looking for in the hay sack will be close to what they are looking for. The users may have an accent and pronounce words differently (cf alumnium vs. aluminium, etc...)
- And worse of all, it assume that the granularity of the packed will be small enough so that the phonemes will have an influence on the bit rate. Whereas in reality, short packets have a big overhead of bandwidth, longer packets increases the latency. But lots of VoIP users are happy with a 500ms latency because it really diminishes the overhead. At 500ms you can have a couple of words in a single packet. The whole packet will tend to have a corresponding bandwidth close to the average (there will be small difference between phonemes, but these will all be packed into the same packet and will average).
- It fails to take into account an interleaved video stream. Video conferencing is really popular, and its own bandwith will completely dwarf the bandwidth used by audio. So unless the VoIP uses 2 separate stream (some VoIP systems do), and only encrypt at the stream level, and the transmission is happening over a non crypted channel (no sane person should do that), this method will fail epically.

Re:Bad science

[pclminion]

Then TFA doens't show a method to magically guess was is being said over a crypted channel only by looking at the bitrates, it only says that it finds some predetermined pattern in a given set of samples to test against.

I don't care. Good cryptosystems should be absolutely impenetrable. Even the smallest flaw is like a crack in a dike. Maybe it will expand and blow the dike, maybe it won't. But it's simply UNACCEPTABLE to have cracks in the dike, and it's UNACCCEPTABLE to have known weaknesses. Whether those weaknesses lead to a full-disclosure attack or not. In the world of cryptography there is no such thing as "good enough." It's either perfect, for the moment, with no known attacks, or it's a piece of shit. There is no gray area.

Re:Bad science

[fortyonejb]

Then TFA doens't show a method to magically guess was is being said over a crypted channel only by looking at the bitrates, it only says that it finds some predetermined pattern in a given set of samples to test against. The whole thing would only be able to answer to some very simple questions like "did the words XYZ appear in the conversation ? or did ABC appear in the conversation ?" - with a rather bad success rate if those words are long and complex enough - which hardly makes it enough to obtain personal information or otherwise efficiently spy on someone. ahh, but that can be enough for overzealous evesdroppers to come a knocking. Lets say the words and phrases "Commies" "Americans" and "Kill-em-all" were found in a convo. Depending on which side you are on, and who you are directing it at, you could be either extremely patriotic, or a "terrorist", care to guess which way our overlords will assume?

Re:Bad science

I don't care. Good cryptosystems should be absolutely impenetrable.

Ummm, no. Every encryption algorithm is guaranteed to be vulnerable to brute force - trying every possible key value.

In the world of cryptography there is no such thing as "good enough." It's either perfect, for the moment, with no known attacks, or it's a piece of shit. There is no gray area.

On the contrary, there is "good enough". You use an appropriate amount of protection for the value of what you are protecting. The front door of your house has a lock, you might have an alarm system, you might have a locked filing cabinet, you might have a safe deposit box in a bank vault.

Re:Bad science

[drew]

The whole thing would only be able to answer to some very simple questions like "did the words XYZ appear in the conversation ? or did ABC appear in the conversation ?" - with a rather bad success rate if those words are long and complex enough - which hardly makes it enough to obtain personal information or otherwise efficiently spy on someone.

Yes but presumably if you know that a certain phrase appears in an encrypted conversation, and when it occurs, that could allow an attacker to use a known-plaintext attack to discover the rest of your conversation. It seems to be the case with crypto systems that any attack no matter how small often leads to larger attacks.

Re:Bad science

[pclminion]

Ummm, no. Every encryption algorithm is guaranteed to be vulnerable to brute force - trying every possible key value.

Okay, wise guy -- leaving aside brute force.

Re:Bad science

Okay, wise guy -- leaving aside brute force.

Well, then you're failing to meet your primary criterion, "absolutely impenetrable". Does a user care how their encrypted secrets were cracked? Probably not.

Despite its age, 3DES has no known backdoors, but the keyspace is small. With $500,000 in computer power, you can brute force 3DES very easily. Despite that, 3DES is still used for lots of things today. By comparison, AES has a very large keyspace. Of course, who knows how much computer power the NSA has?

What about super-secure one-time-pads? They can still be compromised when the key is generated, transported or stored.

And what about internal attacks? There were many cases of traitors in the CIA & KGB during the cold war.

Good security requires thinking about the entire problem, from end-to-end.

Not encrypted very well are they...

I don't see how *encrypted* these calls are if they always compress the same way. Doesn't sound like they are encrypted beyond ROT-13 to me!

Re:Not encrypted very well are they...

[srmalloy]

What I find amusing about this announcement is that the VOIP encryption methods are reported to be vulnerable to "bugging", while Homeland Security et al. is blatting on about how it is vital to national security that they be allowed to require all ISPs to install back doors in their VOIP setups to allow them to tap and monitor VOIP calls. I guess Homeland Security can't afford to pay for decent IT security people.

Re:Not encrypted very well are they...

[AndroSyn]

It sounds like they are using whatever ciphers in ECB mode. ECB or electronic codebook mode is generally one of the most insecure ways of using any sort of block cipher. See the example in this wikipedia article as to how much information ECB can leak: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29

Re:Not encrypted very well are they...

[InlawBiker]

Yeah but there's a big difference between having to actually decrypt the packets, even with a crib and a known weakness in the encryption, and having the keys to the kingdom.

Re:Not encrypted very well are they...

[Vellmont]

It sounds like they are using whatever ciphers in ECB mode.

No. This type of attack relies on leaking information through a variable bitrate sound compression algorithm. The problem is there's more information in certain phonemes (individual speech parts) than in others, so they compress at different rates. That means you can look at the amount of information going across the wire as a function of time and guess at some of the phonemes. If there's enough of them, you can guess at some of the words. The chosen encryption method is (mostly) beside the point.

To fix this problem, you'd either not use a variable bitrate codec, or choose a type of encryption that puts junk data into the data stream as a function of the bitrate from the codec (likely before you encrypt it). Both methods would create a constant bit rate encrypted datastream, and thus hide this leak.

Measuring packet size?

[DrHackenbush]

Fortunately I am in receipt of email at this very moment where a nice foreign man claims he can and will increase the size of my packet. Whew!

solution by obfuscation... heh.

Merely utilize the stupendous wealth of complex language alternatives located in the voluminous expanse of your thesaurus to inflate your unimportant topics of conversation to prodigious lengths, and leave the vital ones to sound so simple they don't pay them any notice!

Anyway, what's the use of this? "Oh wow, they must be talking about something interesting. Now if I only knew what they were saying..." The simple fact that the communication is being encrypted would allude to that.

Re:solution by obfuscation... heh.

[Bob+of+Dole]

"These guys have a 75% chance (based on statistical analysis of voip packet sizes) of talking about terrorism! Better bug them for real, so the next time we can listen in."

ode-cay

[fahrbot-bot]

Ust-jay eak-spay in ode-cay.

Not really...

[msauve]

First, the paper was testing the Speex codec, and in based in principle on looking at codecs which use variable bit-rate CELP, a compression scheme which is tailored to speech, not music (music sounds terrible through one of these codecs, because their dictionaries are filled with speech sounds). Having music in the background is only likely to confuse the codec, making the speech sound terrible too, possibly to the point of unintelligibility.

The conclusions do not apply to more standardized codecs like G.711 and G.729a, which use fixed size packets.

The paper itself can be downloaded from here. Get it quick, before the IEEE figures this out and make the author remove it so they can extort their fee.

Protocol isn't broken - it's badly mixed

[billstewart]

This isn't a simple case of a broken protocol - it's an effect of mixing different protocols in ways that don't work together.

Voice codecs are designed to support a given level of audio quality subject to bit rate and computational complexity limitations. Most codecs are fixed-rate, or fixed-rate with silence suppression. Encryption isn't part of their design; it's somebody else's problem, and many VOIP systems aren't encrypted anyway (for instance, connections between an office phone and a PBX usually aren't.) Variable bit rate codecs are sometimes a good choice, depending on the kind of sounds you're trying to compress and the networks you're transmitting them on, and they're at least an alternative to the usual fixed-rate codecs.

Encryption systems usually aren't designed to deal with real-time message streams or timing attacks. Typically VOIP encryption protocols are designed for constant bit rate codec output, which is what most codecs provide, and the codecs usually package up 10, 20, or 30ms audio samples into a data packet for transmission over IP.

The problem occurs when you're choosing your codec and encryption separately, and you take a crypto system designed for fixed-rate codecs and use a variable-bit-rate codec instead. It's difficult to keep people from doing that sort of thing, especially if they're using huge-overhead approaches like VOIP inside IPSEC as opposed to VOIP systems with the crypto built in. It's also difficult to prevent people from making bad choices like that when they're using open-source software applications, as opposed to proprietary phones that only have the small set of codecs the manufacturer built in (typically uncompressed G.711, or G.729 or a GSM codec, all of which are fixed-rate except for silence suppression.)

This is compressed, encrypted VOIP

[billstewart]

1) You're seeing lots about bugging and wiretapping VOIP because VOIP use is increasing, and because the buggers in government are getting really aggressive about wanting to wiretap people. VOIP is potentially less secure than POTS, because there are more ways to tap the Internet than traditional phones (where you either use alligator clips on the wire or go to the phone company office), and it's also potentially much more secure than POTS, because the end users can do their own encryption without needing the network in between to be secure.

2)It's not that compressed VOIP would be inherently more or less secure than uncompressed - if you want it secure, you encrypt it. The problem is that if you use a crypto system that works just fine with fixed-rate voice (either uncompressed or with a fixed-rate codec, which most codecs are) and use a variable-bit-rate codec instead, suddenly lots of information leaks out through the timing, because the crypto system wasn't hiding the size or timing of the voice packets. So no, your decent VPN isn't taking care of it, because it wasn't designed to, and using a VPN instead of VOIP-specific encryption makes it easier for you to use whatever codec you like. Also, IPSEC is really inefficient for VOIP, and SSL or SSH are worse, because VOIP gives you a stream of lots of very small packets, and each layer of protocol (RTP, UDP, IP, IPSEC, etc.) adds more overhead - an 8kbps voice codec typically takes 24-28kbps of IP if you don't encrypt it, and maybe double if you do.

Re:This is compressed, encrypted VOIP

[FLEB]

I think another factor adding to the possibility of VOIP tapping is that your conversation is liable to be sent over a range of different midpoints and hardware, owned by a variety of people. Plus, tapping in and copying the information stream has very little chance of creating noticeable interference.

Re:This is compressed, encrypted VOIP

[6Yankee]

the buggers in government

Oooh. Well played, Sir, well played.

Re:This is compressed, encrypted VOIP

[AnyoneEB]

an 8kbps voice codec typically takes 24-28kbps of IP if you don't encrypt it, and maybe double if you do.

As I understand modern encryption, it adds overhead to creating the connection because encryption keys have to be shared before encrypted data can be sent, but the actual encryption is done with a cipher such that it takes up the same amount of space encrypted as decrypted, so it does not cause a size overhead on the main data transfer. Then again, if it changes keys often or is doing something else special, then maybe it would cause that much overhead.

Re:This is compressed, encrypted VOIP

[billstewart]

That's not actually the problem here - as you say, the encryption itself doesn't cause a size increase except for an initial key exchange. The problem is that you're taking a raw data packet of two or three 10-byte compressed-voice samples (each 10ms at 8kbps), wrapping them in RTP/UDP headers (20 bytes) and IP headers (another 20 bytes), and then if you're doing a typical VPN with tunnel-mode IPSEC, you're adding another layer of IP headers (which are slightly larger because they've got IPSEC options added), and it's not uncommon to need another UDP header somewhere for NAT evasion, which may also have its own IP header layer. On an Ethernet you don't care, but on a narrow radio channel of some sort it really matters, and in general in wide-area networks you care a bit, especially if you're trying to trunk a bunch of calls together.

If all of your equipment supports it, there are transport-layer encryption standards like SRTP which avoids the IPSEC overhead, but it does burn some bandwidth of its own on headers, checksums, etc. so it's not free either.

Asterisk avoids some of those problems for trunked connections, because it can combine the voice samples for a bunch of different calls into one packet, so the overhead gets amortized across all your calls. For a single person-to-person call it doesn't matter, but for a trunk between two business offices or similar application it can make a large difference.

Voice codecs are lossy compression

[billstewart]

Voice codecs are lossy, so they'll happily compress your encryption data to something smaller, treating it as if it were audio samples from a human vocal tract. Unfortunately, you won't get all the bits back when you uncompress it, so decrypting the data isn't going to reconstruct anything resembling the original voice stream :-)

Why change the packet size?

[argent]

Send fixed size packets, splitting longer syllables into more packets and packing multiple short syllables into single packets.

Re:Why change the packet size?

[rantingkitten]

Then you'd be losing the point of compression, in which case you could bypass the problem entirely since the attack relies on examining the compression. :)

In fact, you might be making it worse at that point, since now it's not compressed and you're splitting things into more packets than you were before, which could compound any latency-related issues that may be present.

Re:Why change the packet size?

[argent]

I don't think you actually understood my suggestion, because I'm not suggesting anything that would reduce the effectiveness of compression, nor am I suggesting splitting things into more packets, on average.

It would probably increase latency, but given the existing variation in latency I've seen streaming over the public internet I doubt you'd notice any increment from this.

It's not a flaw in the cryptosystem.

[argent]

It's a traffic monitoring problem.

It doesn't matter how good the cryptosystem you use to call the Pizza Hut nearest the Pentagon is, if you just need to count the trucks leaving the Pizza Hut to tell when there's a burst of late night activity so you can tell the invasion is about to start.

Really?

Bugger.

Let's try better than "information theory FTW"

[mstahl]

The entropy for a perfectly random coin toss will always be one bit. The formula, if I'm remembering right, is -sum(p_i * log(p_i)) where the p's are the probabilities of the various possible outcomes. In the case of a fair coin toss, these are both 0.5 and the outcome is 1, or 1 bit.

If the stream you're compressing has patterns in it, it is purely by coincidence and overall, the average entropy of any number of these streams will turn out to be 1 if you sample enough of them. Furthermore, if you do have a perfectly random string of bits, zlib, gzip, and all the rest will deliver a bigger file because of the overhead necessary for those file formats.

Try it on the command line, dd if=/dev/urand of=random_bits bs=1024 count=100 && gzip random_bits. Getting a smaller file out of that is more improbable than being attacked by a shark while being struck by lightning while you're holding a winning lottery ticket.

Re:Let's try better than "information theory FTW"

[robo_mojo]

Getting a smaller file out of that is more improbable than being attacked by a shark while being struck by lightning while you're holding a winning lottery ticket.

That's how my brother died you insensitive clod.

Re:Let's try better than "information theory FTW"

[ResidntGeek]

Getting a smaller file out of that is more improbable than being attacked by a shark while being struck by lightning while you're holding a winning lottery ticket.

I don't know about gzip, but for a perfect encryption algorithm the chance of getting a smaller file out of that should be 0.5.

Re:Let's try better than "information theory FTW"

[mstahl]

Omg I didn't know... I am so sorry.... ;-P

Much like traffic analysis attacks on SSH

[runexe]

This is very similar to traffic analysis attacks on SSH (like this one) where packet sizes and inter-arrival times can indicate which keys you are typing.
Effective, practical counter-measures against good traffic analysis techniques are very difficult - especially if the attacked has enough traffic to work with (i.e. many conversations, many sessions, etc.).

misleading title...

[Kral_Blbec]

The use of the word "bugging" infers that others can listen and understand what is being said. From the abstract all they can do is identify parts that might be interesting. There is a big difference there.

Re:misleading title...

[runexe]

Since the full paper doesn't look like it's available yet, it's not clear how much they can identify - but a similar research (e.g. this paper) is able to identify certain words (from a limited vocabulary) during an encrypted conversation. It's not the same as listening to a decrypted stream obviously - but it highlights the vulnerability to traffic analysis - this is revealing much more information than simply the existence of a conversation between two people - it can reveal at least some of the contents of that conversation.

Re:Why do they call codes "codecs"?

[Tubal-Cain]

Because it isn't just simple encryption.
compression/decompression
http://en.wikipedia.org/wiki/Codec

Seriously it's not that simple

[mstahl]

Totally not even how VoIP works. You're making the assumption that chunk #123 actually got there. There's no ACK packets in VoIP; if a packet is received out of sequence it's dropped. That's that "jitter" that happens when the line breaks up a bit every now and again. It's your packets not all taking the same route and getting to the destination device out of order.

You have to remember: VoIP is a real-time protocol, and keeping up with real time is the paramount concern, not necessarily absolute accuracy.

Whatever solution there is to this problem it has to work on packets as individual items. It can't work on a whole conversation because that's just not how phone conversations happen. If it really were that simple, we could just email each other encrypted mp3s and the system would work beautifully.

You might want to re-think that

[mstahl]

Seriously try what I said to try if you've got a linux/unix/mac system to try it on. You'll come up just slightly larger than the original file pretty much every single time.

Considering the output of a coin toss to be a random variable, and the string of bits to be a randomly variant process of probability 0.5, the probability of any given pattern is 2^(-n) where n is the length of the pattern in bits. Square it to give the probability of that pattern repeating. In order to come up with a file that's smaller than the original file you need many patterns repeating many times. Really. The entropy of a random stream is really high, and you will never compress a file beyond the file's entropy limits. It's just not possible unless you throw information away.

Fuzzy Logic vs. Binary Information

[DrYak]

Yes but presumably if you know that a certain phrase appears in an encrypted conversation, and when it occurs, that could allow an attacker to use a known-plaintext attack to discover the rest of your conversation. No you can't. Because you don't have the plain text. What you have is a probability that some piece of the crypted transmission sounds somewhat similarly to another piece of audio you have.

You didn't actually get the clear binary data (the original wave form or the original non-crypted compressed stream).

By comparing the two pieces you have matched together you can't infer the key that was used to encrypt into another, because they actually AREN'T the crypted version of the other. They AREN'T the same data. They just happen to show some similarities in rythm.

Counter measure.

[DrYak]

I don't care. Good cryptosystems should be absolutely impenetrable. Even the smallest flaw is like a crack in a dike. Maybe it will expand and blow the dike, maybe it won't. But it's simply UNACCEPTABLE to have cracks in the dike, and it's UNACCCEPTABLE to have known weaknesses. As I said, the counter measure is bloody simple :
Use longer packets.
- It saves your bandwidth because of less overhead (that's why people are *already* doing it).
- It has only a small impact upon latency.
- With long enough packets, the difference between sound averages and nothing can be eavesdropped based on phonemes compression ratio.

It's only rythm based

[DrYak]

The eavesdropping is only based on the rythm of speach based on the difference in phoneme compression.

If we admit that the conditions are good enough for the trick to work (short packets, no background noise, no additional data interweaved with the voice stream) ...

ahh, but that can be enough for overzealous evesdroppers to come a knocking. Lets say the words and phrases "Commies" "Americans" and "Kill-em-all" were found in a convo. Depending on which side you are on, and who you are directing it at, you could be either extremely patriotic, or a "terrorist", care to guess which way our overlords will assume? Then you sent to Gitmo a poor schmuck whose girlfriend happens to be named "Connie", who complained about "drinking a merry can of vodka" the night before and now needs "some tylenol to kill the pain".

Using strong understatement, TFA were basically saying that the success rate is useless unless the chunks are long stream of unambiguous words.

Not hunting for keywords, but hunting for complete keysentence. Like two engineers (say nuclear, one of the Iranian) discussion about some formula. You know the formula, you can generate a sentence that might appear.

But then what's the likelihood that they indeed used that sentence and didn't express the idea differently, or used a different type of jargon, or used brand names, or spoke another language to begin with (the first engineer was Japanese), etc...

Not a joke. Another layer on the onion, friend.

[aphor]

Hey AC: don't be an asshuile. We are all on the same team here no? You are right, but the irony is that because you are right, you are frustrated that people don't get it, and you react in a way that reduces the fraction of readers that will get it.

It's worth noting that the wrongest part of the dintech post you're criticizing has nothing to do with music. It's "Easy Solution"... as if. So is it going to be "give a man a fish" or "teach a man to fish?"