Re: How the Greek cellphone network was tapped.
On Sat, Jul 21, 2007 at 12:56:00PM -0400, Steven M. Bellovin wrote: On Sat, 21 Jul 2007 04:46:51 -0700 (PDT) look at 18 USC 2512 (http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_2512000-.html) any person who intentionally ... manufactures, assembles, possesses, or sells any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications, and that such device or any component thereof has been or will be sent through the mail or transported in interstate or foreign commerce; ... So simple possession of a surreptitious interception device is illegal, with exceptions for things like sale to law enforcement or communications companies. This language was originally aimed at bugs, hidden microphones, and other similar devices with essentially no purpose other than intercepting conversations. These devices are usually called Title III devices and are indeed illegal as defined above except in the hands of law enforcement and the like. Private use and even possession is forbidden. And there have been many prosecutions for possession, sale, trafficking in, and importing bugs and similar intercept hardware - mostly of Spy Shop operators who import this stuff from abroad and sell it to sleazy private investigators and divorcing spouses. This language has been around since the 1968 Omnibus Act was passed and was extended with the passage of the 1986 ECPA to cover wire, oral, or electronic communications. It is not new and did not result from the Newt Gingrich intercept or other more recent incidents. AFAIK, (and IANL), the DOJ has rarely if ever applied Title III to ordinary radio receivers or other hardware which has general purpose uses. Scanners and other radio receivers sold to the general public are regulated by the FCC under authority created in 1993, and FCC rules were substantially toughened around 1999 to require scanners not be readily modifiable to tune analog cellular frequencies and meet certain design criteria intended to make this harder and make it harder to hear cellular calls on image frequencies. These rules also make it illegal to modify scanners to tune cellular calls. I know of no court case which has established that sale or possession of scanners or radio receivers built before the ban on cellular reception went into effect is illegal, and many tens of thousands if not hundreds of thousands of such radios are in circulation (and sold regularly on eBay). In recent years there have a small number of prosecutions for sale or possession of radio equipment and software to intercept commercial common carrier pager transmissions under Title III. There is at least one precedent that defines such software as a Title III device. This probably means that software specifically intended to enable intercept of any other signal that is not legal to listen to might also be declared a Title III device, though I am unaware of this having happened as of yet. However, even though the cell industry asked the FCC to do so, the FCC has declined to regulate test equipment - including test equipment that can tune and demodulate digital cellular and other forbidden RF signals - provided it is not marketed to the general public. It is not illegal to possess or sell, import or export, manufacture or modify such gear though of course it is illegal to actually use such gear to intercept signals not included in the list of allowed to listen to signals in section 119 of Title III. And obviously regulation of test equipment would pose some very difficult problems - since many many common real world RF tests require DC to daylight coverage without gaps to spot spurious signals, mixing products, noise, interference etc... and crippled test equipment COULD not do this job. -- Dave Emery N1PRE/AE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass 02493 An empty zombie mind with a forlorn barely readable weatherbeaten 'For Rent' sign still vainly flapping outside on the weed encrusted pole - in celebration of what could have been, but wasn't and is not to be now either. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: How the Greek cellphone network was tapped.
On Thu, 19 Jul 2007, Charles Jackson wrote: An earlier post, talking about vulnerabilities and the lack of an appropriate market response, said: We're talking about phone calls -- did all of the well-publicized cellular eavesdropping (Prince Charles, Newt Gingrich (then a major US politician), and more) prompt a change? Well, there are now US laws against that sort of phone eavesdropping gear -- a big help Halfway, I think. ISTR there are laws against manufacture for sale, sale, purchase, or most usage of such gear - but no laws against manufacture without intent to sell, posession, or some exempted types of use of such gear. Basically, owning such devices is not a crime, nor is using them provided the target has been duly notified that their call will be or is being intercepted. So you can build the gear, and you can demo the gear you've built on a call made for purposes of demo-ing the gear. Consult a lawyer first, but I believe it may also be legal to monitor calls made in a given location provided you first put up a sign that says all cell calls made on these premises will be monitored etc. But you can't legally buy or sell the equipment to do it. I think the most publicized cases of cellular interception, including the two mentioned above, were interceptions of analog calls. Such interception was not too hard to do. In some cases you could pick up one side of such calls on old American TV sets (sets that tuned above channel 69 on the UHF dial). The technical requirement was for a TV with a UHF analog *tuner* as opposed to a digital channel-selection dial. The channels that the cellular network used (still uses? I don't know) were inbetween the channels that were assigned whole numbers in TV tuning. So you could pick up some cell traffic if you tuned, for example, to UHF TV channel 78.44. But not if you tuned to channel 78 or channel 79. Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
On Sat, 21 Jul 2007 04:46:51 -0700 (PDT) bear [EMAIL PROTECTED] wrote: On Thu, 19 Jul 2007, Charles Jackson wrote: An earlier post, talking about vulnerabilities and the lack of an appropriate market response, said: We're talking about phone calls -- did all of the well-publicized cellular eavesdropping (Prince Charles, Newt Gingrich (then a major US politician), and more) prompt a change? Well, there are now US laws against that sort of phone eavesdropping gear -- a big help Halfway, I think. ISTR there are laws against manufacture for sale, sale, purchase, or most usage of such gear - but no laws against manufacture without intent to sell, posession, or some exempted types of use of such gear. Basically, owning such devices is not a crime, nor is using them provided the target has been duly notified that their call will be or is being intercepted. So you can build the gear, and you can demo the gear you've built on a call made for purposes of demo-ing the gear. Not as I read the statute (and of course I'm not a lawyer). Have a look at 18 USC 2512 (http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_2512000-.html) any person who intentionally ... manufactures, assembles, possesses, or sells any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications, and that such device or any component thereof has been or will be sent through the mail or transported in interstate or foreign commerce; ... So simple possession of a surreptitious interception device is illegal, with exceptions for things like sale to law enforcement or communications companies. Consult a lawyer first, but I believe it may also be legal to monitor calls made in a given location provided you first put up a sign that says all cell calls made on these premises will be monitored etc. But you can't legally buy or sell the equipment to do it. Probably -- that's not surreptitious. I think the most publicized cases of cellular interception, including the two mentioned above, were interceptions of analog calls. Such interception was not too hard to do. In some cases you could pick up one side of such calls on old American TV sets (sets that tuned above channel 69 on the UHF dial). The technical requirement was for a TV with a UHF analog *tuner* as opposed to a digital channel-selection dial. The channels that the cellular network used (still uses? I don't know) were inbetween the channels that were assigned whole numbers in TV tuning. So you could pick up some cell traffic if you tuned, for example, to UHF TV channel 78.44. But not if you tuned to channel 78 or channel 79. The specific law I had in mind when I posted that note was the ban on scanners capable of picking up cellular bands, as well as decoders to convert digital cellular signals to analog. See http://findarticles.com/p/articles/mi_m3457/is_n17_v11/ai_13701996 and http://www.eff.org/Legislation/?f=bills_affect_online.notice.txt There are other provisions in the law that bar interception of encrypted or scrambled signals, but I haven't waded through the verbiage enough to know if they apply here. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
On Sat, 21 Jul 2007, Steven M. Bellovin wrote: Not as I read the statute (and of course I'm not a lawyer). Have a look at 18 USC 2512 (http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_2512000-.html) any person who intentionally ... manufactures, assembles, possesses, or sells any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications, and that such device or any component thereof has been or will be sent through the mail or transported in interstate or foreign commerce; ... So simple possession of a surreptitious interception device is illegal, with exceptions for things like sale to law enforcement or communications companies. Hm. Okay, we're looking at the same law, and I am not a lawyer either; but I read knowing or having reason to know ... that such device or any component thereof has been or will be sent through the mail or transported in interstate or foreign commerce as a limiting clause on what would otherwise be an unconstitutional law. In the case of someone who manufactures and posesses such a device, but never sends it or its components through the mail nor transports it in interstate or foreign commerce, I don't think this law gets broken. Despite intimidation tactics that do their best to try to spread the opposite impression, this is explicitly *not* forbidden by this law. And the statute on using such a device, IIRC, also has a limitation, in that it bans using such devices *surreptitiously* - which I think permits non-surreptitious use such as demonstrations. Still, it's a case of two reasonably educated people being able to look at the same statute and draw different conclusions: Sooner or later it will have to be decided in a trial to see who can pay the best lawyers^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H see which interpretation of the statute best serves justice. Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
Leichter, Jerry [EMAIL PROTECTED] writes: Between encrypted VOIP over WIFI and eventually over broadband cell - keeping people from running voice over their broadband connections is a battle the telco's can't win in the long run - and just plain encrypted cell phone calls, I think in a couple of years anyone who wants secure phone connections will have them. I think you're looking at this a bit wrong. I rememeber the same opinion as the above being expressed on the brew-a-stu list about fifteen years ago, and no doubt some other list will carry it in another fifteen years time, with nothing else having changed. Anyone who wants secure voice connections (governments/military and a vanishingly small number of hardcore geeks) already have them, and have had them for years. Everyone else just doesn't care, and probably never will. This is why every single encrypted-phones-for- the-masses project has failed in the market. People don't see phone eavesdropping as a threat, and therefore any product that has a nonzero price difference or nonzero usability difference over an unencrypted one will fail. This is why the only successful encrypted phone to date has been Skype, because the crypto comes for free. I once had a chat with someone who was responsible for indoctrinating the newbies that turn up in government after each election into things like phone security practices. He told me that after a full day of drilling it into them (well, alongside a lot of other stuff from other departments) it sometimes took them as long as a week before they were back to loudly discussing sensitive information on a cellphone in the middle of a crowded restaurant. So in terms of secure voice communications, the military and geeks are already well served, and everyone else doesn't care. Next, please. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
[EMAIL PROTECTED] (Peter Gutmann) writes: I think you're looking at this a bit wrong. I rememeber the same opinion as the above being expressed on the brew-a-stu list about fifteen years ago, and no doubt some other list will carry it in another fifteen years time, with nothing else having changed. Anyone who wants secure voice connections (governments/military and a vanishingly small number of hardcore geeks) already have them, and have had them for years. Everyone else just doesn't care, and probably never will. I think this is a slight overstatement. If security on login connections was expensive, difficult, or not part of the common infrastructure, everyone would still be using plaintext passwords over telnet. However, ssh is just as easy or in fact easier to use then telnet/ftp/etc., so that it has become ubiquitous. If using secure phones was as cheap and easy as using insecure ones, everyone would do it. They just won't go out of their way to do it. The market will happily accept a new feature that is free and zero complexity in use. It is well within technical possibility to create such a thing -- the issue is purely political. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
| Between encrypted VOIP over WIFI and eventually over broadband cell - | keeping people from running voice over their broadband connections is | a battle the telco's can't win in the long run - and just plain | encrypted cell phone calls, I think in a couple of years anyone who | wants secure phone connections will have them. | | I think you're looking at this a bit wrong. I rememeber the same | opinion as the above being expressed on the brew-a-stu list about | fifteen years ago, and no doubt some other list will carry it in | another fifteen years time, with nothing else having changed. Anyone | who wants secure voice connections (governments/military and a | vanishingly small number of hardcore geeks) already have them, and | have had them for years. Everyone else just doesn't care, and | probably never will. This is why every single encrypted-phones-for- | the-masses project has failed in the market. People don't see phone | eavesdropping as a threat, and therefore any product that has a | nonzero price difference or nonzero usability difference over an | unencrypted one will fail. This is why the only successful encrypted | phone to date has been Skype, because the crypto comes for free. | | I once had a chat with someone who was responsible for indoctrinating | the newbies that turn up in government after each election into things | like phone security practices. He told me that after a full day of | drilling it into them (well, alongside a lot of other stuff from other | departments) it sometimes took them as long as a week before they were | back to loudly discussing sensitive information on a cellphone in the | middle of a crowded restaurant. | | So in terms of secure voice communications, the military and geeks are | already well served, and everyone else doesn't care. Next, please. I won't disagree with you here. Most people don't perceive voice monitoring as a threat to them - and if you're talking about monitoring by many governments and by business intelligence snoopers, they are perfectly correct. (I say many governments because those governments that actively monitor and control large portions of their citizenry hardly make a secret of that fact, and citizens of those countries just assume they might be overheard and act accordingly. The citizens of, for lack of a better general phrase, the Western democracies, are quite right in their assessment that their governments really don't care about what they are saying on the phone, unless they are part of a very small subpopulation involved, whether legitimately or otherwise, in politics or intelligence or a couple of other pretty well understood areas.) Selling protection against voice snooping to most people under current circumstances is like selling flood insurance to people living in the desert. If you're an insurance hacker - like a security hacker - you can point out that flash floods *can* happen, but if they are so rare that no one is likely to be affected in their lifetime, your sales pitch *should* fail. What will change things is not the technology but the perception of a threat. Forty years ago, the perceived threat from airplane hijacking was that it was non-existent, and no one would consider paying the cost. Today, we play a very significant cost. The threat is certainly greater, but the *perceived* threat is orders of magnitude beyond even that. The moment the perceived threat from phone eavesdropping exceeds some critical level, the market for solutions (good and, of course, worthless) will materialize. As you note, in the military and intelligence community, the real and perceived threats have been there for years. And the crypto hackers will perceive a threat whether it exists or not. I'd guess that the next step will be in the business community. All it will take is one case where a deal is visibly lost because of proven eavesdropping (proven in quotes because it's unlikely that there will really be any proof - just a *perception* of a smoking gun - and in fact it could well be that the trigger case will really be someone covering his ass over a loss for entirely different reasons) and all of a sudden there will be a demand for strong crypto on every Blackberry phone link. Things have a way of spreading from there: If the CEO's need this, then maybe I need it, too. If it is expensive or inconvenient, I may feel the need, but I won't act on it. But the CEO's will ensure that it isn't inconvenient - they won't put up with anything that isn't invisible to them - and technology will quickly drive down the cost. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
At 07:37 AM 7/12/2007, Eric Cronin wrote: With current CPUs and audio codecs you can get decent voice quality over 9600bps. Yes and no. There are lots of 8kbps codecs, and some 6.5 and 5.3kbps codecs, all off which give acceptable voice quality if transmission's ok. (And you can reduce average transmission rates by 40-50% with silence suppression.) However, that's the raw codec rate - if you're taking the VOIP packets, wrapping them in RTP, UDP, and IP headers, and then transmitting them on a layer 2 protocol with as little overhead as PPP or Frame, the 8kbps becomes more like 26 kbps (Ethernet and ATM are worse, and DSL is ATM underneath - I'm not sure what the cellular carriers do for framing.) The problem is that the Voice-stream data packets are extremely small - the same headers don't add much overhead percentage when you're using 1500-byte data packets. In some environments you can do header compression to save about half the bandwidth, but in general you can't. The Asterisk IP PBX has a trunking protocol that lets you use one set of RTP/UDP/IP headers to carry multiple streams of voice packets, so you can connect two locations together for close to the raw protocol speeds, but that's not likely to apply to a mobile phone situation. The other way to avoid the VOIP overhead is to use one of the old voice-over-data designs that uses point-to-point async or sync connections without an IP layer (e.g. raw modems.) That lets you send voice for much closer to the 9600 bps (depending on sync protocol, async stop-bits, etc.) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
On Tue, 17 Jul 2007 13:11:41 -0400 (EDT) Leichter, Jerry [EMAIL PROTECTED] wrote: I'd guess that the next step will be in the business community. All it will take is one case where a deal is visibly lost because of proven eavesdropping (proven in quotes because it's unlikely that there will really be any proof - just a *perception* of a smoking gun - and in fact it could well be that the trigger case will really be someone covering his ass over a loss for entirely different reasons) and all of a sudden there will be a demand for strong crypto on every Blackberry phone link. Things have a way of spreading from there: If the CEO's need this, then maybe I need it, too. If it is expensive or inconvenient, I may feel the need, but I won't act on it. But the CEO's will ensure that it isn't inconvenient - they won't put up with anything that isn't invisible to them - and technology will quickly drive down the cost. You're an optimist. There was the Israeli case of the tailored virus. I haven't noticed any rush to get rid of insecure operating systems, mailers, and word processors. Or have a look at http://fe24.news.re3.yahoo.com/s/nm/20070717/tc_nm/internet_attack_dc and ask if that will do it. (Department of Transportation? Department of Defenses, more likely, from that list of businesses...) Today's Wall Street Journal reported on new threats from ads on the Internet, and loudly worried why ad companies and web sites weren't doing more to filter their offerings. But an ad is just web content, which means that the real problem is the web browser and host OS. Will that prompt a switch? We're talking about phone calls -- did all of the well-publicized cellular eavesdropping (Prince Charles, Newt Gingrich (then a major US politician), and more) prompt a change? Well, there are now US laws against that sort of phone eavesdropping gear -- a big help Want another example? How many US corporations have major operations in China? What are the odds that the Chinese government is listening in? If you're uncertain, see (a) the posting on this list a few days ago about the landing declaration about communications security devices and yesterday's news story about email problems to China because of apparent problems with the Great Firewall (http://www.cnn.com/2007/TECH/07/18/china.email.reut/index.html). None of his seems to have affected business there. (Nor are corporations unaware of this; I was advising people on this close to 20 years ago.) I agree that it will take a trigger. I don't know what that trigger will be, but it won't be something as simple as a proven case. It's hard to predict what will get enough people upset; sometimes, it's nothing at all. (Remember the Pentium serial number case? Objectively, that was a complete non-issue, but enough people got upset about it that Intel had to back off.) It will also have to be dead simple. It can't happen on the POTS network, because modem handshaking takes too long. It can't happen on conventional cellular unless the voice is traveling over a clear-channel end-to-end data connection, not something that the carrier's equipment knows is voice. (There's also the question of phone CPU access to the voice channel, per Bill Stewart's post.) It could happen for VoIP if done properly, as others have pointed out. It has to be easy to use, which means that things like PKIs are, shall we say, obstacles. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: How the Greek cellphone network was tapped.
An earlier post, talking about vulnerabilities and the lack of an appropriate market response, said: We're talking about phone calls -- did all of the well-publicized cellular eavesdropping (Prince Charles, Newt Gingrich (then a major US politician), and more) prompt a change? Well, there are now US laws against that sort of phone eavesdropping gear -- a big help I think the most publicized cases of cellular interception, including the two mentioned above, were interceptions of analog calls. Such interception was not too hard to do. In some cases you could pick up one side of such calls on old American TV sets (sets that tuned above channel 69 on the UHF dial). Much better interception equipment was still pretty simple. I understand that there was sometimes enough talker echo that, if you listened on the base-to-mobile link you could understand both sides of the call-you didn't even need two receivers. However, interception of digital wireless signals requires more skill and expense. Interception of CDMA is harder than interception of GSM. Interception and recovery of encrypted digital is still more difficult. The 3G wireless standards permit AES quality encryption of the voice-I don't know if carriers have this turned on. I am pretty sure they have it or the equivalent turned on for functions that limit theft of service such as the initial activation of service on CDMA networks. I do know of business executives who, when informed of the ease of interception of analog cellular, changed their behavior. Chuck Jackson - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
| Crypto has been an IP minefield for some years. With the expiry of | certain patents, and the availability of other unencumbered crypto | primitives (eg. AES), we may see this change. But John's other | points are well made, and still valid. Downloadable MP3 ring tones | are a selling point. E2E security isn't (although I've got to | wonder about certain teenage demographics... :) | | It's also an open question whether network operators subject to | interception requirements can legally offer built-in E2E encryption | capabilities without backdoors. It's going to be interesting to see the effect of the iPhone in this area. While nominally a closed system like all the handsets that preceded it, in practice it's clear that people will find ways to load their own code into the things. (As of yesterday - less than two weeks after the units shipped - people have already teased out how to get to the debugging/code patching interface and have extracted the internal passwords. The community doing this would make a fascinating study in and of itself - an international group coordinating through an open IM line, tossing around ideas.) There's plenty of CPU power available, and a fairly standard environment. (In fact, recent reports hint that the chip contains a hardware accelerator for Java.) Between encrypted VOIP over WIFI and eventually over broadband cell - keeping people from running voice over their broadband connections is a battle the telco's can't win in the long run - and just plain encrypted cell phone calls, I think in a couple of years anyone who wants secure phone connections will have them. There will be tons of moaning about it from governments - not to mention the telco's, though for them that will be a triviality compared to all the other things they will lose control over - but no one is going to be able to put this genie back in the bottle. Also, right now, the technology to build a cell phone is still specialized and capital-intensive. But today's leading-edge chip and manufacturing technology is tomorrow's commodity. Ten, twenty years from now, anyone will be able to put together the equivalent of today's iPhone, just as anyone can go down to Fry's today and build themselves what was a high-end PC a couple of years ago. You can't quite build your own laptop yet, but can that be far off? A gray box cellphone might not compete with what you'll be able to buy from the leading-edge guys of the day, but it will be easily capable of what's needed to do secure calling. So - who's going to write the first RFC for secure voice over cell, thus circumventing the entire government/telco/PTT standards process? We're not quite ready for it to take off, but we're getting close. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
On 07/10/2007 01:59 AM, Florian Weimer wrote: It's also an open question whether network operators subject to interception requirements can legally offer built-in E2E encryption capabilities without backdoors. I agree. It's a tricky question; see below JI responded: You probably meant device vendors, not network operators. We all agree we can make a distinction between telcos and phone HW manufacturers. But that may not be the relevant distinction. I know in the US, and I imagine elsewhere, telcos buy phones from the OEMs and then retail them to customers. That makes them, in the eyes of the law, both telecommunication carriers *and* device vendors, even if they are not device OEMs. The whole *point* of E2E security is that network operators are not involved. If they were, it wouldn't be end-to-end! Well, that's logical, but who said the law has to be logical? IANAL but AFAICT the most sweeping parts of the CALEA law apply to telecommunication carriers as defined in section 1001: http://www4.law.cornell.edu/uscode/html/uscode47/usc_sec_47_1001000-.html Customer encryption is explicitly not included by the terms of section 1002: http://www4.law.cornell.edu/uscode/html/uscode47/usc_sec_47_1002000-.html ... unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication. I repeat: ... unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication. Following this line of thought leads to all sorts of illogical conclusions, including: a) Arguably it might be OK to buy a backdoor-free crypto phone from the grocery store, but not OK to buy or lease it from the phone company. b) Arguably you could buy a phone from the telco with no crypto at all, and then take it to Orange County Choppers and have them install backdoor-free crypto. c) Arguably the OEM could have two product lines, one without backdoors, to be sold via telcos, and one without backdoors, to be sold otherwise. d) Arguably everybody is OK provided the telco doesn't have the keys. Maybe you can use a crypto phone provided by a US telco if you have a high-assurance way of changing the keys to the back door as well as the front door. e) We all know the laws differ wildly from one jurisdiction to another ... and the laws can be changed at any time. The cost of the second product line (item b) might not be too much higher than the first product line (item a), since it could be considered a /byproduct/, such that all the big development costs are attributed to line (a) ... assuming there is a market for crypto phones of any kind. As to whether any such market will develop in the near future is another interesting question. The fact that only a tiny fraction of present-day email is E2E encrypted is not an encouraging sign. (Email is easier to encrypt than voice.) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
At 10:59 PM 7/9/2007, Florian Weimer wrote: Uh-oh, no. The protocol characteristics don't change depending on who is selling you the device. Of course they do, at least in the US, where the mobile phones are generally carrier-specific, often locked, and generally don't have open designs. In particular, they're not usually designed to let the data applications get at the voice compression ASICs, but they usually don't have enough CPU to compress voice in Java if they can get at the voice stream at all. Some of the PDA phones are more flexible, and I'd expect OpenMoko to be much more flexible. Many telcos have an aversion to end-to-end protocols. They're getting better about it, but the transmission characteristics from most of the data protocols aren't designed for voice, unless you're willing to do push-to-talk or equivalent. So ironically, if you want to get good latency for 5.3kbps voice, you'll want the fastest data protocols. HSDPA's latency is 100-200ms, and upstream is 100+ kbps - you could probably run uncompressed voice which is about 80kbps, since latency's less of a problem. (EDGE has upstream of 40-60kbps, but latency is 350+ so the more compressed protocols aren't going to behave. I don't have the 1xRTT numbers handy, but I think they're similar.) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
On 7/9/07, alan [EMAIL PROTECTED] wrote: Makes me wonder how this will effect the OpenMoko phone if someone builds an encryption layer for it. (OpenMoko is a totally open sourced phone.) Leigh Honeywell and Paul Wouters presented a 'crypto-phone' effort they have been working on at CCC in Germany last December. They later presented an update at a meeting in Toronto: http://www.task.to/events/presentations/securephone-task.pdf They are building on OpenMoko and the Neo1973 phone (http://wiki.openmoko.org/wiki/Neo1973), because it is the only phone they could find that allows OS modifications without breaking code signing. As I understand it, it's not true end-to-end. It makes a 'VPN' connection to an Asterisk PBX that you have configured somewhere in the world, presumably on a phone network trusted more than the wireless one you are currently on. If the PBX has to route the call back into public infrastructure to the other endpoint, then there is cleartext exposure again. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
On Jul 6, 2007, at 6:20 PM, John Ioannidis wrote: Unfortunately, it's not so easy to roll your own on top of a 3G- enabled smartphone. The broadband channel does not have the tight jitter and throughput guarantees that voice needs, and some providers (Verizon in the USA for example) consider running voice traffic over their broadband network a violation of the usage agreement (no need to blame the government for that, their own greed is adequate explanation). There are lots of other technical and human-factors issues that have been covered to great extent in this and other fora. /ji The Cryptophone project in Europe http://www.cryptophone.de/ has been trying to tackle the QoS issues for four or five years now. I haven't looked at their implementation closely in several years, but back in 2002 or so they were using CSD (modem-modem calls) instead of the broadband channel, trading bandwidth for low jitter... With current CPUs and audio codecs you can get decent voice quality over 9600bps. Thanks, Eric PGP.sig Description: This is a digitally signed message part
Re: How the Greek cellphone network was tapped.
Florian Weimer wrote: It's also an open question whether network operators subject to interception requirements can legally offer built-in E2E encryption capabilities without backdoors. You probably meant device vendors, not network operators. The whole *point* of E2E security is that network operators are not involved. If they were, it wouldn't be end-to-end! /ji - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
On Mon, 9 Jul 2007, Florian Weimer wrote: * Ian Farquhar: Crypto has been an IP minefield for some years. With the expiry of certain patents, and the availability of other unencumbered crypto primitives (eg. AES), we may see this change. But John's other points are well made, and still valid. Downloadable MP3 ring tones are a selling point. E2E security isn't (although I've got to wonder about certain teenage demographics... :) It's also an open question whether network operators subject to interception requirements can legally offer built-in E2E encryption capabilities without backdoors. Makes me wonder how this will effect the OpenMoko phone if someone builds an encryption layer for it. (OpenMoko is a totally open sourced phone.) I am still trying to convince my wife to let me get a developers kit for it. -- ANSI C says access to the padding fields of a struct is undefined. ANSI C also says that struct assignment is a memcpy. Therefore struct assignment in ANSI C is a violation of ANSI C... - Alan Cox - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
* John Ioannidis: Florian Weimer wrote: It's also an open question whether network operators subject to interception requirements can legally offer built-in E2E encryption capabilities without backdoors. You probably meant device vendors, not network operators. The whole *point* of E2E security is that network operators are not involved. If they were, it wouldn't be end-to-end! Uh-oh, no. The protocol characteristics don't change depending on who is selling you the device. Many telcos have an aversion to end-to-end protocols. Building reliable networks for ill-behaving end systems has been a pretty recent idea (and we are still far away from a complete solution). There aren't any interception requirements for device vendors, either, at least not any I'm aware of. They aren't telcos. Projects like OpenMoko should not be affected. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: How the Greek cellphone network was tapped.
It's an interesting question for sure. I can't help but think that if the hardware platforms were to open up, and the handsets obtain some sort of ubiquity that this sort of thing would spontaneously evolve. I saw this link today: http://www.gizmodo.com.au/2007/07/openmokocom_goes_live_get_your.html And apart from the fact that I was just plain out impressed that it has 2 3d accelerometers, I thought it was only a matter of time before someone inserts a cryptographic layer between the voice and the transmission. Cheers, Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven M. Bellovin Sent: Tuesday, 10 July 2007 12:57 AM To: [EMAIL PROTECTED] Cc: 'John Ioannidis'; [EMAIL PROTECTED]; 'Perry E. Metzger'; cryptography@metzdowd.com Subject: Re: How the Greek cellphone network was tapped. On Mon, 9 Jul 2007 17:52:38 +1000 Ian Farquhar \(ifarquha\) [EMAIL PROTECTED] wrote: And don't forget, some of the biggest markets are still crypto-phobic. Every time I enter China I have to tick a box on the entry form indicating that I am not carrying any communications security equipment. That's interesting -- the news just came out about Blackberry entering the Chinese market... See http://www.technewsworld.com/story/58167.html which (briefly) discusses such issues. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: How the Greek cellphone network was tapped.
2. E2E crypto on mobiles would require cross-vendor support, which would mean that it would have to go into the standard. Unfortunately, standards in the mobile world are heavily influenced by governmnets, and the four horsemen of the apocalypse (drug dealers, paedophiles, spies, and terrorists) are still being used by government types to nix any attempts at crypto they can't break or intercept. Handset suppliers are traditionally uncomfortable with licensing fees for non-core function. This is why, for example, memory card support has been needed for so long, but is a relatively recent phenomenon. The suppliers didn't want to pay licensing fees to the card standards bodies, despite the massively increased data storage needs which were coincident with the addition of camera functionality to phones. Crypto has been an IP minefield for some years. With the expiry of certain patents, and the availability of other unencumbered crypto primitives (eg. AES), we may see this change. But John's other points are well made, and still valid. Downloadable MP3 ring tones are a selling point. E2E security isn't (although I've got to wonder about certain teenage demographics... :) And don't forget, some of the biggest markets are still crypto-phobic. Every time I enter China I have to tick a box on the entry form indicating that I am not carrying any communications security equipment. When my GSM mobile roams onto China Telecom, the unlocked paddlock logo appears denoting that even A5/2 isn't allowed. Yet China has mandated full cellphone coverage, even in rural areas, and for companies like Motorola and Nokia, it's a must-own marketplace. Features which may worry the often inconsistent and capricious State Encryption Management Committee (SEMC), who can block the entry of your product into China, is going to be pruned from the product list pretty damn quickly. Ian. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
On Mon, 9 Jul 2007 17:52:38 +1000 Ian Farquhar \(ifarquha\) [EMAIL PROTECTED] wrote: And don't forget, some of the biggest markets are still crypto-phobic. Every time I enter China I have to tick a box on the entry form indicating that I am not carrying any communications security equipment. That's interesting -- the news just came out about Blackberry entering the Chinese market... See http://www.technewsworld.com/story/58167.html which (briefly) discusses such issues. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
* Ian Farquhar: Crypto has been an IP minefield for some years. With the expiry of certain patents, and the availability of other unencumbered crypto primitives (eg. AES), we may see this change. But John's other points are well made, and still valid. Downloadable MP3 ring tones are a selling point. E2E security isn't (although I've got to wonder about certain teenage demographics... :) It's also an open question whether network operators subject to interception requirements can legally offer built-in E2E encryption capabilities without backdoors. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
silvio wrote: Aren't run-of-the-mill cellphones these days powerful enough to use available software like OpenSSL to encrypt voice/datastreams? Again...what are the options for end-to-end cell encryption right now? Mobile phones have had spare cycles for doing strong crypto for a very long time. There are two classes of reasons why this is not happening and is (unfortunately) never going to happen: 1. Practically no users ask for it, so the handset vendors prefer to use development resources to build even more flashy features, rather than allocate resources to developing E2E security. No user would ever brag about how secure their phone is, but they would brag about how they can play video games or take pictures or whatever, or how small it is. 2. E2E crypto on mobiles would require cross-vendor support, which would mean that it would have to go into the standard. Unfortunately, standards in the mobile world are heavily influenced by governmnets, and the four horsemen of the apocalypse (drug dealers, paedophiles, spies, and terrorists) are still being used by government types to nix any attempts at crypto they can't break or intercept. Unfortunately, it's not so easy to roll your own on top of a 3G-enabled smartphone. The broadband channel does not have the tight jitter and throughput guarantees that voice needs, and some providers (Verizon in the USA for example) consider running voice traffic over their broadband network a violation of the usage agreement (no need to blame the government for that, their own greed is adequate explanation). There are lots of other technical and human-factors issues that have been covered to great extent in this and other fora. /ji - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
Perry E. Metzger wrote: A fascinating IEEE Spectrum article on the incident in which lawful intercept facilities were hacked to permit the secret tapping of the mobile phones of a large number of Greek government officials, including the Prime Minister: http://www.spectrum.ieee.org/print/5280 So what are the options these days (the article even mentions end-to-end encryption to make such an attack far more difficult)? Every crypto-phone offering seems to go stale and disappear after a while...perhaps related to the fact of being ridiculously expensive. Aren't run-of-the-mill cellphones these days powerful enough to use available software like OpenSSL to encrypt voice/datastreams? Again...what are the options for end-to-end cell encryption right now? Silvio - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
Perry E. Metzger [EMAIL PROTECTED] writes: A fascinating IEEE Spectrum article on the incident in which lawful intercept facilities were hacked to permit the secret tapping of the mobile phones of a large number of Greek government officials, including the Prime Minister: Some years ago I talked to an ex-GTE person about law enforcement requiring intercept capabilities to be built into phone switches. His comments about their approach to security (which he was responsible for) was: They were absolutely clueless, they assumed you could put 'Police line do not cross' tape on the intercept portions and everyone would dutifully keep out. He'd left by the time it was implemented, but since there was never any significant budget allocated to securing the intercept capabilities the impression I got was that it only had whatever the developers could bolt on with the least cost and effort. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
Am Freitag, den 06.07.2007, 02:52 -0400 schrieb silvio: http://www.spectrum.ieee.org/print/5280 So what are the options these days (the article even mentions end-to-end encryption to make such an attack far more difficult)? Every crypto-phone offering seems to go stale and disappear after a while...perhaps related to the fact of being ridiculously expensive. Aren't run-of-the-mill cellphones these days powerful enough to use available software like OpenSSL to encrypt voice/datastreams? Again...what are the options for end-to-end cell encryption right now? For example, I owne an Nokia E70 smartphone running symbian. There is an application called fring, which is basically skype for symbian which runs on the E70. Fring offers VoIP calls over skype with your mobile phone. The data is send over the Cellular network (UMTS or so) or Wireless LAN, which is supported by some phones too. I don't know how much encryption Fring does (and I don't want to speculate how secure it is here), but it shows, that you can do VoIP on usual high end consumers hardware. So writing an application, which does basically the same as fring and uses extra cryptography should be possible. I have written some java code for the E70, and I know that it can do AES, RSA and DH in a reasonable time, even if all computations are done in Java. But this is all just about end-to-end encryption, you could still try to backdoor the phones firmware, or bug the phone itself (in hardware). Additionally, you need some kind of public key infrastructure, if you want to call arbitrary people securely. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
