Slashdot Mirror
GNU Free Call Announced, SIP-based VoIP
andrea.sartori sent in the "development plan for GNU Free Call, an open source VoIP service based on the SIP protocol. According to the announcement, it 'aims to be as ubiquitous and usable as the proprietary Skype VOIP service.'"
So this has no relation to the two previous articles? http://mobile.slashdot.org/story/11/03/15/0432226/Richard-Stallman-Cell-Phones-Are-Stalins-Dream http://it.slashdot.org/story/11/03/15/1513257/Encrypted-VoIP-Meets-Traffic-Analysis
I hate to upset RMS again, but dropping the GNU and just calling it FreeCall would be fine.
In case you're not aware, Ekiga already exists and is a free-software SIP client implementation. See http://ekiga.org/ . At best this should be an extension for Ekiga, not an entirely new project.
-molo
Ekiga is a softphone client, not secure self-organized communication services.
This project aims to implement the entire VOIP network back-end, vaguely similar to how Skype does it (largely P2P).
"Work is the curse of the drinking classes." -Oscar Wilde
"This project’s definition of secure media is similar to Zimmermann’s work on ZRTP, in that we assure there is no forwarding knowledge by using uniquely generated keys for each communication session. Furthermore, we will use GNU Privacy Guard (GPG) to fully automate session validation. This will be done by extending the SIP protocol to exchange public keys for establishing secure media sessions that will be created by each instance of SIP Witch operating at the end points on behalf of local SIP user agents, and then verifying there is no man-in-the-middle by exchanging GPG signed hashes of the session keys that were visible at each end."
So there are encryption measures in hand. Even vanilla VoIP has SIP over TLS and SRTP to work with. ZRTP is reasonably well supported too. It also employs a Skype-style P2P routing system, which should help provide a comparable degree of anonymisation: "Our goal is to make GNU Free Call ubiquitous in a manner and level of usability similar to Skype, that is, usable on all platforms, and directly by the general public for all manner of secure communication between known and anonymous parties, but without requiring a central service provider to register with, without using insecure source secret binary protocols that may have back-doors, and without having network control points of any kind that can be exploited or abused by external parties. By doing so as a self organizing meshed calling network, we further eliminate potential service control points such as through explicit routing peers even if networks are isolated in civil emergencies."
So, which is preferable, transparency wise, a technology provided by a publicly traded company, or an open-source technology which can be administered by the end users if they so wish?
Empathy, Ekiga, Twinkle... the list goes on. Even pidgin has SIP plugins. Why is this project special or needed?
Oooo. Wire tapping. Waste as many CPU cycles as you want intercepting my calls about grocery shopping, how your day went and what time we're meeting at the bar.
If I *really* wanted to kill the president, start thermonuclear war, blow up dirty bomb in New York City, funnel money to Al Qaeda, etc. I'd find much better means of communication.
There are dozens of 'free image sharing' websites. Pair that up with craigslist, steganography and some pgp and best of luck tracking all of that. If for nothing else the noise ratio is way too high.
So I plan on blowing something up. I take a stock photograph of a car and dump a pgp message into it. I post it to craigslist under something that doesn't exist. Like "Rare 1963 Ford Mustang" My friends know what to look for and maybe an area.
For example this image: http://img842.imageshack.us/img842/5563/steghide.jpg
Download, then run it through:
steghide --extract -sf steghide.jpg -xf message.txt -p bomb
Or there's python-stepic. http://img687.imageshack.us/img687/4907/stepic.png
stepic -d -i stepic.png -o jnk
And you can embed more than just short messages. I tested out a 20 paragraph ipsum.
http://img153.imageshack.us/img153/4911/ipsum.jpg
steghide, password 'slashdot'.
It's only the dumb criminals/terrorists that get caught. If people WANT to hide messages, it's not that hard.
Well, I can think of various technical solutions. For one, you only know the person on the other end based on their gpg public key, which is probably registered somewhere you reasonably trust if you want to accept the call. We could show you the registration info for the caller, and after answering you will find if the person on the other end claims to be the same person or organization. If the call turns out to be illegal spam (based on the national do-not-call list?), we could have buttons in the app to report the caller to both the registry where they published there public gpg key, and with federal authorities who may be able to look into major offenders.
Another part of the solution could be the whole web of trust thing, which is a great idea that never seemed to pan out. In theory, if you are trying to call me, some non-spammer I know should be able to vouch for you. Somewhere out there should be someone willing to identifying all real people on the net. In fact, maybe I would pay this organization a few bucks to somewhat verify that I'm a real person, and not a robot, someone unlikely to spread spam. If we automated black-listing spammers so fast that they didn't get to make many calls with that few bucks they paid to get white-listed, it wouldn't be profitable for them.
Another possibility is that for callers not on my white list, I demand some electronic cash for the call to go through, maybe something like a buck. If I accept the call and don't black list you afterwards, your white listed and your cash is refunded. If I blacklist you, I keep the buck. I'd love to do that one to my ex-wife if she ever calls :-)
Celebrate failure, and then learn from it - Nolan Bushnell