Slashdot Mirror
Encrypting Phone Storage and Transmission? (2011 Version)
An anonymous reader writes "Soon I'll be moving to one of the hot, culturally restrictive countries which has recently been in the news ... and which monitors and filters web traffic. ISPs and cellular providers are both owned by the government. Needless to say, I'm concerned about privacy and am even posting to my fellow Slashdotters as an anonymous coward. Which smart phones are the best for a) encrypted storage, and b) encrypted transmission? I'm not worried about encrypting SMSs or traditional voice traffic, but I would like all IP traffic as secure as possible. Setting up a server in my less restrictive home country is an option. What storage encryption and transmission encryption would you recommend for that situation? I'm willing to buy yet another device, if necessary. (No, I won't get a SatPhone.) I currently have a Nokia N900 running Maemo5 and another device running Symbian S60v3. I was hoping to have a secure OS like BackTrack running on the N900, but it looks like the software was never totally ported for the device."
Why not a traditional VPN with an Android or iOS device? Symbian should also be able to support VPN connections as well.
Non impediti ratione cogitationus.
Ah, but was your first post made securely?
If you are going to Saudi...co-workers couldn't wait to get the hell out of there. VERY SCARY PLACE. Public beheadings on Fridays.
Start all your conversations with "Death to America! Long live the revolution!" And if you're in a Muslim country, tack on "Allah be with us all!" They won't even bother to listen to the rest of your conversation.
Your welcome! No problem!
You will just need to buy that phone in the country you are going in. Otherwise you may loose it through customs unless you are a diplomat. Best to get something boring and assume that everything you send is readable by anyone. If you keep something that is valuable there is nothing that customs would like better than to have your device.
This isn't the exact solution, but you sould be able to tunnel a skype connection over the Tor network, for a short period of time.
Depends on the length of communication, which isn't stating in the question.
Hi, I Boris. Hear fix bear, yes?
Bouncee is a VPN service designed to protect the privacy of international travelers. It encrypts all your network traffic and routes it through a server in the United States.
It's also really, really cheap. This sounds like what he's looking for.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
(1) As far as encrypting the data on the phone itself, I'd recommend Blackberry if you can swing it. It's the only phone I know of that has the capability of actually encrypting the filesystem, though maybe that's changed.
(2) Having said that, any data you send/receive is going to go through Blackberry's servers and your privacy/protection depends on whether RIM is playing ball with that country or not, in addition to any snooping the local cellco might be doing. So you'd better make sure you are accessing things over SSL, or you might consider an VPN-tunneled-VNC connection to a server in a friendlier country. But again that's encrypted data and your cellco will know it's out there.
What's your risk doing something you might get caught where the government knows what you are doing, as opposed to getting caught doing something where the government doesn't know what you are doing?
Is the move itself absolutely necessary?
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
I have the same problem. I am not in a restrictive country, however my phone lines are tapped on a regular basis since i deal with defendants. its not paranoia -- they really do tap phones of attorneys to get around atty/client and ive seen the records more than once. I use an SSH connection to a tomatousb router (ASUS RT-N16) and forward ports to my N810. you can do the same with your N900. this allows me to do VOIP directly and also share the same connection locally by letting my N810 serve as a local hotspot. All traffic is encrypted with SSH until it reaches my home which is on a dynamic ip anyway. This has worked against local and fed agencies but may not work against NSA/big brother type agencies or against foreign government state departments. You need a fast upload connection (my 25/2 Mbps cable connection works fine). For anything more than the usual calls i meet people in person at the office. meeting in person is covered by priv and works well.
Consider giving Whisper Systems "TextSecure" and "RedPhone" applications a try. I have had good luck with them. I don't know if they have been ported to S60 yet.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
I'd be most worried about the: "he's using techniques which we can't crack. so he's really up to no good, and we must therefore have him 'pay us a visit'" (cf the usual: http://xkcd.com/538/). So perhaps you should consider communication that doesn't trivially look like communication that's subversive to the powers-that-are? Just something to mull over; because you see, the birds do fly west on a sunny day.
It has support for OpenVPN, SSH and tor out of the box. There was one guy in #maemo I think that said he succeeded at implementing full disk encryption, you might want to come there and ask. And if you install kernel-power you'll be able to be use iptables, which should help with making sure only what you want gets in and out.
Now, will encryption help you? What is going to happen to you if you're arrested and suspected of accessing something you shouldn't? I'm thinking that in such a place, if they find you have a heavily encrypted phone they're just not going to let you go if they can't get data off the device, and refusing to tell the password might not be a great idea.
Perhaps you should look more at plausible deniability. Try to set up the phone in a manner that is as un-suspicious as possible, make sure nothing incriminating gets logged on the device, and do all your suspicious activities on some remote server, with some panic system that can remove anything suspicious like tor or ssh without leaving a trace if you get in trouble.
For testing what gets stored, you could try using rsync. Sync the entire phone, do something like loading a website, sync again and see what changed.
About the best you can do with off the shelf phones is to use an email client that supports secure communications, and visit
web sites using ssl only. (not Slashdot).
You could try some of the secured proxy browsers such as https://www.the-cloak.com/ (self issued certificate - so due diligence required)
as a way to browse sites like Slashdot that don't offer secure connections.
Sig Battery depleted. Reverting to safe mode.
Set up a BES Express server, and get a BlackBerry. I'm not sure you can find equivalent security on any other platform. The BES Express server (free) offers transparent VPN. The devices themselves are unmatched, security-wise (though you'd be stepping back like 5 years in features). Email might be a problem if you don't want to also run exchange or lotus domino, but you could easily set up an IMAPS server and use that.
Is not to use those services. Generally speaking, if the country is that restrictive, they probably will not take kindly to a foreigner trying to bypass the restrictions.
A good rule of thumb to travel: obey local laws. If you don't like them, don't go there. As a foreigner, you are in a pretty risky spot to try to take matters into your own hand.
You're going to a restrictive country with little human rights, and you think that encryption will keep you safe?
I think that XKCD put it best... http://xkcd.com/538/ I'm surprised nobody's posted this yet.
I feel compelled to point out that while BackTrack is a great distro, it's primary goal isn't really being secure from outside intruders. It is designed for auditing and testing other systems. I'm sure with a reasonable effort you could lock it down to be relatively secure, but you're looking at the wrong tool for the task. Hell, it runs everything as root by default.
If you're not a high-priority target or planning on creating civil unrest, than this restrictive government doesn't care about you. If you are, then encryption isn't going to save you. They'll either pull off some side-channel attack, like a rootkit on your phone that no amount of encryption is going to subvert, or just throw you in jail for using encryption at all.
I'm all for security, but a lot of Slashdotters really need a sense of perspective.
Dislike the Electoral College? Lobby your state to join the National Popular Vote Interstate Compact.
Before doing this you may want to check what the local laws are. Police States do not like privacy. Encryption is not always legal. If you find it's illegal you will probably also want to check what the penalties are.
the iPhone can do PPtP tunnels.. I haven't played on my Nokia N800, but I'm positive it can do it as well.. and I can't see any reason why you couldn't do it on an Android. I believe the Crackberry has such a large business-centric user-base, I'd be very sup
Setting up and using an encrypted tunnel is pretty basic and most recent generation phones you'd even want to bother 'surfing' on should be able to do this. So if you're shopping for a new device, I'd just add this to a check-box list of features you want, and focus on other things.
----- The internet has given everyone the ability to have their voice heard equally as loud.. even if they shouldn't be
This page lists many High Quality Encryption devices.
http://www.jproc.ca/crypto/menu.html
Look at the KGV series
Like the beaver, it's just Dam one thing after another
It sounds you are using your phone to provide IP to other devices. You can just use ssh on those "other devices" to port forward anything you like. There is no need for any special phone nor software running on the phone when the IP traffic itself is already encrypted.
I would recommend just censoring yourself.
The fact of the matter is that if the country is actually using sophisticated techniques to look for spies, they will be actively looking for data traveling in an encrypted form to the united states.
It would be a shame to be captured and interrogated because the tyrants didn't know that "secret message" was about how much you hate your boss.
I'm pretty sure the poster doesn't actually know what they need, want or are asking for, but best wishes.
Some resources for the n900:
----- file system encryption-- ...and then mount the phone's encrypted volume from the card, thru 1 usb connection
Truecrypt for true cross-platform encryption on the phone's non-boot volume
(available by default in the N900's Extras-Testing repository)
A nice script to simplify use of TrueCrypt (no screen icon = non-obvious = good)
http://forums.internettablettalk.com/showthread.php?p=597269
Also note that for your pc, you can put the x86 tc.exe on the phone's unencrypted boot volume,
----- IP encryption
Tor is available as a package and works well, tho with caveats
http://www.torproject.org/docs/N900.html.en
SSH is also available
----- semi-secure voip
Skype support is inbuilt (tho sometimes suspect w/proprietary encryption & whatnot)
configure thru Settings>Connectivity>VoIP and IM.
Run your own Asterisk PBX on the n900 with an encrypted config/tunneled
available in the Extras repository
----- alt boot options
option to boot alt OS hidden on card
http://wiki.meego.com/ARM/N900/Install/Dual_Boot
http://neopwn.com/ (sometime soon, one hopes)
option to carry a hidden/alt bootable PC OS in your phone
http://zitstif.no-ip.org/?p=451
I think not...(*poof*)
I'd believe that only Maemo offers moderately convenient gpg encrypted mobile email, not via the default email client sadly, although maybe you could hack that. Afaik, Maemo boasts the only mobile OTR messaging solution too. Android and Symbian beat out Maemo when your talking encrypted voice calls however since only they boast Zfone implementations. If the country is evil enough though, they might not even have access to skype conversations, not sure how skype handles baddies.
Afaik, all modern mobile platforms support virtually all VPN protocols. Android will handle ssh tunnels once you jail break it, presumably the same for Symbian. iPhones, Blackberries, etc. will get messy wrt port forwarding. I'd imagine that only Maemo will offer seamless SOCKS5 support, but maybe Android. VPN also offers the most plausible deniability if they catch you using encryption.
I've cannot comment on encrypting the contents of the phone under Android and Symbian, but Maemo supports some encrypted file systems from Linux and Easy Debian offers all the others. We're hearing about dual core phones running Android and Debian simultaneously. So maybe you should get your encrypted filesystem running on your N900 now, but plan on buying a dual Android & Debain device once your N900 gets long in the tooth?
In practice, you shouldn't really worry too much about your random comments or encryption usage. American citizens won't get harassed too badly unless they're clearly a threat, i.e. an activist, journalist, etc. If your not America, then you should seriously check into the country. Saudi Arabian employers love keeping people there as slave labor by taking passports, even heard about them doing this to French people.
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
It supports both regular VPN and tunnelling with ssh (or any other command line program). The browser can be configured to go through a proxy if you like. If you want a mainstream phone, that's probably the best way to go. There are also lots of encryption solutions.
iPhone is nearly useless from a security point of view: when the VPN connection shuts down (as it does from time to time), it starts transmitting your data unencrypted; totally unacceptable!
If you want any more control, you probably need to get an N900 (while you still can).
You can get a little flexibility by using a mobile WiFi hotspot and a separate WiFi enabled internet access devices (e.g., Android tablet, Android phone, etc.).
It's not worth it.
Technology is not the issue: get your favorite OS instance from your favorite cloud provider/hoster or whatever, setup ssh and openvpn. Part 1 done. Now hop on irc.freenode.net to #asterisk or #freeswitch and ask around for a provider that offers encrypted SIP calls using TLS/SRTP or even ZRTP using non standard ports (like 80, 443, 25 etc.). If your new overlords don't block ports perhaps Skype works too. Use creditcard to throw some cash at the service, configure phone. Part 2 done.
Bottom line is that when you are in a country with scary overlords with many scare drones who like to see you in a scary basement with scary tools you want to keep your head down, do the work, grab the pot of gold (I hope) and get the hell out. If you are from the US be prepared for some serious negative sentiment towards you and the US in general. Do not comment on anything political ever. Do not comment on the pothole in the street, the food, the music, do not comment on girls/women ever. Basically do not comment on anything. Just smile, shut up, respectfully say you have work to do and back out of the discussion as fast as you can. And remember, your biggest "friend" is probably the guy that reports about you every night and gives the other scary drones the intel based on which they might decide to drag you into one of their basements. Do not confide in any person. Oh and just because some other expats say there's no problem with having a few alcoholic beverages at home does not mean that it's save for you. Just imagine the scary basement with the scary tools before you do something that is totally normal in the US but might be or is conceived as insulting and illegal in your nice new restrictive country.
I hope it's worth it.
I'm not worried about encrypting SMSs or traditional voice traffic, but I would like all IP traffic as secure as possible.
If your traffic doesn't require real-time reporting of events (i.e. a delay of 2-3 hours between the event and the report is OK) and doesn't require large amount of data (i.e. text reports rather than video).
1. As you control both ends of the communication, consider a prearranged set of one-time pads
2. Plausible deniability - including steganography and Rubberhose filesystem
3. Netbook instead of a smart-phone? (easier to arrange, no need to hack the phone)
Good luck.
Questions raise, answers kill. Raise questions to stay alive.
Before you start trying to figure out how to circumvent being spied upon by the host government, maybe you should look into the possible consequences of this. It may well be that if they find out that you're doing this, things could really turn out bad for you.
It's generally a good idea to try to actually obey the laws of the country you're going to, especially if it's as volatile as you say it is. If you're a foreign national and don't have any sort of diplomatic protections, you could be playing a risky game.
Lost at C:>. Found at C.
From what I know, an encrypted data connection is of limited value.
1) If you are using HTTP, the ISP can listen-in on you even if the communication to the tower is encrypted.
2) If you are using HTTPS, and the certificates are properly validated, then the communication is encrypted from the phone to the tower past the ISP and all the way to the web site. They can't listen in on you at any level. The only potential gain I see see to encrypting the data communication as well is that someone can't tell what site you are visiting by intercepting the phone's data connection. (HTTPS doesn't hide that.) But then that can be seen by the ISP.
Also, I'm not sure if you can trust the data encryption. How can you tell that the phone is using it? Or that the tower is using it? Or that it isn't breakable?
And what would one use for the first of the two requirements, encrypted storage, on an Android platform? I'd love to hear of a solution.
This sig is false.
While I think the parent is being funny, Ham Radio would be something that couldn't be stopped as long as you have little power.
Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
I have OpenVPN running nicely on my Android 2.1 phone. Had to root it, tho.
And since you are rooting it, you shoud be able to partiton you sdcard and setup some kind of encrypted filesystem. I havent tried it yet, but might just to see if is possible.
Also, in a country like that, you might try getting a phone without a camera... just in case.
Duct tape can easily cover up a phone's camera.
Pwnie Express sells a N900 with Backtrack installed, dunno how well the phone functions though
The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants.
I've wondered if surreptitious software installation could be defeated on a GSM device by using some something like this: http://www.bladox.com/doc/sec_ed_ug_en-2.pdf which sits between the hardware and the SIM, and is running a custom made application. With the GSM standard the SIM queries the hardware to find out if it is capable of taking over-the-air updates. This device could spoof what the hardware sends to the SIM so the network operator sees a non-OTA updateable device. Also if the network operator wanted to install a SIM based app this device could capture it. If anything outside of your defined parameters were taking place the device shuts things down. Possible? Please test and report back :D
http://www.bladox.com/doc/sec_ed_ug_en-2.pdf
Setup a OpenVPN box somewhere free (VPS Hosting) and install the OpenVPN application for the N900 - Works great for me !
After coming back on in an hour, and attempting to establish the tunnel again, we discovered, that traffic had slowed by 70% over the tunnel, and that two routers in the hops right before the gateway link out of China were dropping packets, but only the tunneled traffic. It looked to us that we had triggered some type of attempt to monitor our traffic, we stopped tunneling. In the coming months we found a bug in our board room, there were several attempts to hack into our office netwokr, two that we knew were successful. Coincidence?
No. Your network administration people suck incredible amount of ass, so they can't configure routers in a non-SSL-breaking way, and allow your network to be "hacked" by random skr1pt kiddies.
Contrary to the popular belief, there indeed is no God.
If you are an American and are going to participate in political demonstration in a foreign country, you deserve anything and everything that will be done to you.
Contrary to the popular belief, there indeed is no God.
To start off, here's the obligatory xkcd cartoon to go with the question: http://xkcd.com/538/
Having spent some time in those countries, you should be careful to also consider the social aspect of what you want to do. Encrypting data is all fine and dandy, but that will only help against snooping and in case you lose your phone. At a checkpoint full of burly men asking you to show them what's in the file myporn.secret or SoundOfMusic.avi, encryption wont help. You will hand over either your 25 character top secret password or your denture. For those situations, it's a lot preferable if no suspicion arousing files are found.
For safer surfing, a VPN connection - preferably one easily going through proxies is more useful. I would stay away from solutions like Tor, because they make you suspicious by default and go with a plain vanilla corporate VPN, one preferably landing in a legitimate corporate net from where you can connect to further machines containing the stuff that can lead you in trouble (eg Pretty Woman with Julia Roberts in some parts of the world).
Hi, check out the guardian project http://guardianproject.info/ which is aimed at mobile security for Android.
You can use Nokia's mVPN on Symbian with a VPN provider of yours.
As with some of the other posts I would be concerned about raising the eyebrows of the local intelligence agencies by encrypting a connection. In some countries (Iran for instance) i would think this would almost automatically trigger a police officer at your door for questioning or a visit to a local police station for interrogation. They would want to know what secrets you are hiding from them. I also imagine that leaving things unencrypted is undesirable as well. Personally, using "normal" channels is a mistake. Too bad there are not some affordable yet covert communications channels that have little to do with traditional phone networks or internet. Or at least something that transmits at different frequencies in small bursts that just look like background interference etc (I know CDMA works on this but that doesn't help in foreign countries and it is still in a domain that the authorities monitor from the CO, backbone, etc). I am sure the CIA has something like this. But it is about time that we had alternative paths that are covert and very difficult to even detect. In which case, it would not even have to be a really high speed connection for something like sending an email now and then or the occasional document or file. Even then, there is still risk with something like that being suspect by the local intelligence agencies if it is a device they know that you have and they become curious about something that is not simply a "normal" cell phone or small computing device. It seems best to just live with their local laws and try not to counteract them because otherwise there is a high risk of winding up in a very bad prison or similar situation and maybe no way for your own country to get you out of trouble.