
I MUST get this........
....I have absolutely nothing nefarious or confidential to say, but the thought of really, really upsetting "Expenses" Smith and "Veto" Straw is just too delicious to miss...
A British security firm has urged the government not to impose heavy-handed interception regulations on VoIP providers, ahead of the forthcoming consultation on communications data. Cellcrypt, based in London, develops and sells a smartphone application that allows companies to make encrypted VoIP calls internationally. The …
Asterisk and OpenSSH will do the trick nicely, and noone will ever know what was said.
Or check out OneSwarm and its ilk. Friend to friend peering with longer distance comms done in multiple hops, end to end encrypted.
I'm afraid that unless the conspiracy theorists are correct and 'they' write a back door into every crypto algorithm, unless that's true, the authorities literally cannot eavesdrop on what people are doing.
Even with legislation to make people give up keys. For those wondering how that could possibly work, read up on Diffie Hellman ephemeral key exchanges, pick the pieces of your brain up off the floor and then consider the implications if you're a spook that usually only has to plug his listening device into the right wire...
"Recently, UK intelligence agencies have complained that the rise of VoIP makes it difficult for them to monitor communications."
Let me see: The rise of morse code did it, the rise of the Enigma encoding machine did it and the rise of digital communication technology did it.
Of course, in each of those cases, the intelligence agencies applied themselves and eventually developed technology that allowed them to monitor communications. So what's changed? A simple lack of faith. Once upon a time we (at least, me) believed the intelligence agencies were there to protect us. Then, along came a Republican government in the United States and a clunking, statist, 'New Labour' government in Britain.
Those clumsy, paranoid, control-freak politicians made it know that there is no longer any such thing as personal privacy. "You will be monitored for your own good!" was the cry. No-one is to be allowed to have a private life any more.
So, now, we (I) believe that the intelligence agencies will use any new power to increase their ability to monitor my tedious conversations and predictable movements. Life has an added spice. In addition to going about my daily business, I now have the fun of trying to do so in a way that makes it difficult for the 'agencies'.
The rise of VOIP makes it difficult for Big Brother to keep an eye on me? I'll open an account immediately!
Those regulations will be moot. The bottom line is that anyone can write solid encryption software using well published secure algorithms (e.g. AES, Blowfish, Twofish, CAST and others). So all that will happen if legitimate companies are required to provide backdoors is that OpenSource or "free hobby" software with similar functionality as Cellcrypt's software will take over.
If I'm not mistaken, isn't AES an American government 'approved' standard for encryption? That ought to raise questions with anyone considering encrypting their phone calls etc.
Also, given sufficient tradecraft skills even a simple encryption scheme can be used to make life very difficult for eavesdroppers. We should all hope that terrorists stay dumb and rely on their encryption.
"UK intelligence agencies have complained that the rise of VoIP makes it difficult for them to monitor communication" -- GOOD! It's about time someone stood up to those control freaks. What I say, and who I say it to, is nobody's business but mine and theirs.
@ David Hicks -- Dead right, and being Open Source means that there's no chance of a backdoor.
It's not so much the encryption that's worrying them. Nobody is going to say "the illegal drugs arrive tomorrow on flight XYZ, the tracking number is 1234, Mr Real_Name please go and collect them at 9:00am"
The real value of telecoms intercepts is to build up a network of who contacts who - then you get a nice 'linked to terrorism' flag on your database. With skype it's difficult even with the cooperation of all the international ISPs involved to know who is calling who.
Yeah, right. Ofcourse all terrorists and criminals will automatically volunteer to communicate by following those regulations. Absolutely obvious to many of our beloved leaders. Fact: terrorists and criminals follow laws - therefore legislation against encryption will mean that terrorists and criminals will not use it!
Don't we all just love the logic of it?
Paris - well it's kind of obvious...
RC4 may have various attacks, but AES is about the best there is at the moment. The whole development process for AES was fantastically open, so it's unlikely there are "backdoors" for the spooks to use.
AC. if you can provide a method that shows AES to be "America's Easiest Security (to break)", I'm sure the crypto community would love to hear about it, because you're clearly cleverer than most of them.
I'm not so convinced the NSA can break AES.
Yes, it's approved by the US government, it was written by an academic and won the AES title in competition. It's been widely scrutinised by security experts across the world.
Does that mean that the NSA definitely can't break it? No. But I'd put money on the fact that it still holds up to them and if they can break it then they can only break it with huge amounts of computer power and intelligent brute-forcing on selected small pieces.
Spooks beware!
So you invest in thousands of pounds of software or just use AES or pgp - then someone like me comes along and makes a very small driver that feeds a "software sound device" it sits between the soundcard and the speakers.
OH NO with all that encryption that simple driver makes it obsolete :(
You can hear both sides of the conversation, record them and even resend them over a vpn or vlan lol.
If its a computer - it may well have the worlds best encryption but its made useless if all you need is to listen to the output from the sound card - thats NOT encrypted.
as 118 would say GOT YOUR NUMBER.
1. If AES is so easy to break, why does the U.S. Government allow the use of evaluated implementations of AES-128 for classified data up to SECRET, and AES-256 for classified data up to TOP SECRET?
2. Sectera Edge doesn't compete with Cellcrypt, nor does it compete with the Blackberry. The Edge uses Type 1 crypto, and therefore isn't available to the public at all, in any form whatsoever. Conversely, Cellcrypt on commodity (i.e. not security hardened) hardware is never going to be accredited for highly classified data.
Rijndael is AES
Rijndael was the name of the cypher before it began a standard, the standard name being AES.
Although I do agree with your comments about it being insecure becuase the government uses it. Its an open source algorithm, which has been round for many years (I know I bought the book detailing the algorithm many years ago whilst at uni). As computing power increases it will become easier to break as DES and triple-DES the previous standards did. But as that happens it will be improved and replaced.
If you are worried about the security of any algorithm go and get a copy of the cypher, and if its not available in the open market its not secure. AES is available, many very bright and independant experts have validated it, and if you dont trust them do the maths yourself.
Of course specific implementations may not be secure becuase they can have backdoors and bugs in them, but hay you have the algorithm write your own.
Alan
With electronic communications there seems to be a sense in the security community that they should be monitored simply because the technology is there to monitor.
Since the introduction of digital switching systems from the 1970s onwards, there have been provisions in the hardware and software for 'lawful interception' i.e. your phone conversations can be listened into remotely, without any difficulty.
Before digital switching, a wire tap was literally that, someone had to obtain a warrant, go to a telephone exchange and physically install a device to record your line. It was difficult, and it would only have been used where necessary.
There seems to be a sense now that they should just record everything (just in case) and put it onto a giant google like database so that it can be data mined.
If the security services suggested that seals on envelopes should be banned, and all correspondence should be scanned by your local post office so it can be read for subversive material, can you imagine the absolute outrage there would be?
But, just because it's a data stream of telephone conversations, faxes, emails or online communications it's somehow not causing even a slight fuss.
Why aren't people annoyed about this on a wider scale?!
What do you mean by a driver?
Are you talking about a trojan that records sound activity on a particular PC? Sure that could work fine. Good luck getting it onto my machine without physical access, unless my (open source) router has holes I don't know about, you can't even address my laptop...
If the spooks want to physically gain entry and bug the place, fine, let 'em. They need to be able to investigate circumstances where they have enough reason to believe something is going on to persuade them to get up out of their chairs and go and watch someone.
It's the random trawling and data collection about every one of us that I find offensive.
Now where did I put that terrorist drug bomb guantanamo obama?
The Tsarist secret police had lots of moles in the Bolshevik Party before the 1917 revolution, and a fat lot of good it did them. All members had to work like fuck spreading propaganda and agitating and recruiting, so to get anywhere the goons had to do lots of *useful* work against themselves. They even had a goon in the Executive Committee (Politbureau). He was in on everything. And a fat lot of good it did - he had to do more party work than anyone to get there and stay there, And the smelly gents didn't understand what he was telling them anyway.
But if you've got an old school tie you smell the same as the top honcho smelly gents, and can get in without a fuss - and be a useful mole. Burgess, Maclean and Blunt. Say no more, nudge nudge wink wink.
And the intelligence of the special smelly gents at the bottom of the ladder, with only their smelly old macs in common. Well, I give you this:
"Jean Charles de Menezes, 27, was shot seven times in the head and once in the shoulder..."
(Paris cos no British Special Forces goon has shot her seven times in the head yet...)
Not a trojan as such, even the intelligence service could spot that (i would hope)
A simple driver with a bit of the software adapted for the sole purpuse of being a bug.
I hadnt given the "how" they would get it onto the laptop much thought, but there are stories of some very seriously deviant methods they "could" use to do it.
So heres a guess at a very strange plot.
SPY a plants someone in creative sound employment - they alter ALL the drivers secretly. No one notices then in a dark base somewhere everything is analysed. (its far fetched i know, but im not a blooming spy hehehe)
even if there was some sort of modest breakable encryption going on with the "great unwashed" that would make even the simplist mass monitoring unfeasable. Instead of the milliseconds it takes now for the NSA to scan for key words it might take seconds. the problem of scanning for keywords would then get exponentially harder.
Bring on encryption for the masses!
I suppose the real criminals / spooks will be / are simply using a little applet on both ends that does the encryption. over the same open connection. wether that is ip/landline or cell, is not even relevant.......
paris, because she's the only one I heard off that just looses the whole thing..... (her cell, people, her cell)