> What is the risk? If the contents of Fort Knox were housed in an old
We don't know, he didn't tell us what his conversations were about so
now we'd have to make assumptions.
> If Steve's telephone conversations are similarly "dusty" and
> "anonymopus"... lets say boring, then likewise, they are practically
> secure because they will be of no interest to anyone, and even if
We don't know that, he didn't state.
> somebody happenned to overhear, the conversation would need to be of
> interest to the eavesdropper to even begin to carry the threat of any
Not necessarily. Lets say there were bored teenagers who made a habit
of searching around for VoIP data to sniff, just to see if it *was*
interesting.
> From a technical point of view, "WiFi" transmissions carrying VOIP
> are far more secure than conventional analogue phone traffic. Even
I'd disagree. In order to sniff VoIP over WiFi what do I need, a
laptop, an antenna and a wireless card. Everything else is free. Oh
and that's the same equipment I can use for everyday networking. On the
otherhand, if I want to start hooking up to telephone lines, the
problems are somewhat different to plopping down my laptop and attaching
an antenna.
> with the proliferation of sophisticated consumer electronics,
> eavesdropping on digitised sound is not simple. Specific packets have
> to be captured then the contents have to be reassembled and using
> appropriate codecs, have to be converted back to analogue. With the
Ethereal and Vomit are free. Jeff gave other links to other tools.
> Consider that the WiFi eavesdropper also needs to be within reception
> range and his task becomes even more difficult.
That's hardly a problem with a decent antenna. People have been
sniffing round for open AP's for ages, similarly screwing up Bluetooth.
Maybe VoIP credit card detail hijacking is next. It's not that
difficult.
> Finally, If Steve's conversations are highly confidential then he
> would not be asking this question here.
We still don't know that, maybe that's why he was asking.
> My answer to " ..are MY phone conversations secure over these
> connections?"..." for all practical purposes", ... .YES
I don't have a problem with agreeing with that considering that you can
listen to half of a mobile phone conversation any day you like by
standing next to someone and depending on the earpiece volume, maybe
full duplex. :)
In article <j42bf159dd66j4vvt25u4shsto7lcq55fa@4ax.com>,
jnitron <jnitron-nospam@hotmail.com> wrote:
:But, lets's consider the qualifier, "all practical purposes".
:What is the risk? If the contents of Fort Knox were housed in an old
:dusty anonymous warehouse, which nobody knew about, then it would be
:100% secure. Nobody would know about it so there would be no threat
:and no risk.
Nope. Kids have a hobby around here: they wander around and
break into or set fire to old dusty buildings.
"dusty anonymous" warehouses are also subject to "traffic analysis":
People enter and leave Fort Knox all the time, but people
mostly leave anonymous warehouses alone.
:If Steve's telephone conversations are similarly "dusty" and
:"anonymopus"... lets say boring, then likewise, they are practically
:secure because they will be of no interest to anyone, and even if
:somebody happenned to overhear, the conversation would need to be of
:interest to the eavesdropper to even begin to carry the threat of any
:potential adverse consequence.
Right. And "Echelon" is merely an organizational unit.
The USA denies it, but there is fairly solid evidence in Europe
(UK especially) and Australia, that there is widespread -automatic-
sorting through domestic and international telephone conversations --
automatically checking *all* calls through major exchanges
(not just calls from "suspects".) To the kind of people that set up
such massive checking, encrypted calls *by definition* are
"suspicious" and, if practical such calls should be broken and
analyzed.
--
"This was a Golden Age, a time of high adventure, rich living and
hard dying... but nobody thought so." -- Alfred Bester, TSMD
On Sun, 07 Aug 2005 07:48:48 GMT, David Taylor <djtaylor@bigfoot.com>
wrote:
>> Consider that the WiFi eavesdropper also needs to be within reception
>> range and his task becomes even more difficult.
>
>That's hardly a problem with a decent antenna. People have been
>sniffing round for open AP's for ages, similarly screwing up Bluetooth.
>Maybe VoIP credit card detail hijacking is next. It's not that
>difficult.
Well, it's a bit more difficult that it appears. One of the problems
I previously hinted is that in order to "wireless-tap" a VoIP
conversation, it is necessary to hear both radios that are involved.
Just listening to the access point only gives you half the
conversation. The solution is to either position yourself in an ideal
location, where both the AP and the client radio can be sniffed, or to
use two sniffers. It's especially messy with point to point links,
where there's often not enough RF at ground level to hear both sides
from one location.
If such sniffing is done with a single laptop, the antenna probably
needs to be an omnidirection affair (to hear both sides). While a
dish or panel might offer more gain to do this at a distance, the omni
will require that the sniffer be located fairly close to the radios.
However, for sniffing in a coffee shop, almost any antenna can be
used.
roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote:
>The USA denies it, but there is fairly solid evidence in Europe
>(UK especially) and Australia, that there is widespread -automatic-
>sorting through domestic and international telephone conversations --
>automatically checking *all* calls through major exchanges
>(not just calls from "suspects".) To the kind of people that set up
>such massive checking, encrypted calls *by definition* are
>"suspicious" and, if practical such calls should be broken and
>analyzed.
I can't speak to what is done outside the US, but it is
virtually a guaranteed thing that International calls are
screened for key word recognition here. If you say the right
thing, a human *will* listen to it.
However, doing that for *all* calls is simply too large a
project to even imagine. Hence I really doubt it is very common
on domestic calls anywhere. (Which is not to say that it
doesn't happen on some selectively small portion.)
(Which brings to mind an interesting conversation I had with a
pilot that used to work here in Barrow between gigs flying 747's
in the Middle East for various outfits including the Kingdom of
Saudi Arabia. He asked me one day if his phone might be tapped!
I laughed at him, and said considering the places he goes and
the company he keeps, it probably was. Then I asked him why he
thought it might be, and was he making any international calls.
He said something like, "Well, my son calls his wife who is
currently in Indonesia. She's from China." I just about rolled
off my chair onto the floor! And I told him to be *damned*
careful how they phrase what they say.... He then told me a few
stories about doing things like flying charters with Yasir
Arafat on board. It causes quite a stir when a request for
landing instructions includes an announcement that security
will be needed...)
--
Floyd L. Davidson <http://www.apaflo.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) floyd@apaflo.com
> Well, it's a bit more difficult that it appears. One of the problems
> I previously hinted is that in order to "wireless-tap" a VoIP
> conversation, it is necessary to hear both radios that are involved.
What about if that's Joe at home using a wireless VoIP phone to his home
AP? No other radio (as in phone) involved, just off to some SIP proxy
through his phone service provider.
On Sun, 07 Aug 2005 17:10:37 GMT, David Taylor <djtaylor@bigfoot.com>
wrote:
>> Well, it's a bit more difficult that it appears. One of the problems
>> I previously hinted is that in order to "wireless-tap" a VoIP
>> conversation, it is necessary to hear both radios that are involved.
>What about if that's Joe at home using a wireless VoIP phone to his home
>AP? No other radio (as in phone) involved, just off to some SIP proxy
>through his phone service provider.
>David.
Same problem. Let's say the access point can be heard from the
street. But the 802.11 VoIP handset is wandering all over the house.
There's no problem hearing the return side of the conversation coming
from the access point, but picking up the handset will be difficult.
As soon as Joe Sixpack puts a few walls between himself and the
sniffing antenna, the signal will be lost or full of reflections. You
get to sniff only one side of the conversation.
I know a sneaky way around this problem, but I don't wanna disclose
any secrets.
At about the time of 8/6/2005 6:02 AM, Phil Thompson stated the following:
> On Sat, 06 Aug 2005 12:51:32 GMT, Daniel Rudy <nospam@nospam.net>
> wrote:
>
>
>>The FBI recently had a demonstration where they broke 128bit WEP
>>security inside of 5 minutes.
>
>
> why were they wasting their time and your money on that. WPA etc were
> invented precisely because WEP is known to be weak.
>
> Phil
This was at a security conference. Plus, not all equipment can support WPA.
--
Daniel Rudy
Email address has been encoded to reduce spam.
Remove all numbers, then remove invalid, email, no, and spam to reply.
>In article <j42bf159dd66j4vvt25u4shsto7lcq55fa@4ax.com>,
>jnitron <jnitron-nospam@hotmail.com> wrote:
>:But, lets's consider the qualifier, "all practical purposes".
>
>:What is the risk? If the contents of Fort Knox were housed in an old
>:dusty anonymous warehouse, which nobody knew about, then it would be
>:100% secure. Nobody would know about it so there would be no threat
>:and no risk.
>
>Nope. Kids have a hobby around here: they wander around and
>break into or set fire to old dusty buildings.
>
>"dusty anonymous" warehouses are also subject to "traffic analysis":
>People enter and leave Fort Knox all the time, but people
>mostly leave anonymous warehouses alone.
My point exactly. If the caller is not the subject of attention, then
security is irrelevant. Even the casual listener in a crowded barroom
or sitting with a laptop in the corner of a fast food outlet will be
no threat whatsoever - even if he finds the conversation to be
"interesting".
>
>:If Steve's telephone conversations are similarly "dusty" and
>:"anonymopus"... lets say boring, then likewise, they are practically
>:secure because they will be of no interest to anyone, and even if
>:somebody happenned to overhear, the conversation would need to be of
>:interest to the eavesdropper to even begin to carry the threat of any
>:potential adverse consequence.
>
>Right. And "Echelon" is merely an organizational unit.
Paranoia is the hallmark of somebody who has something to hide and he
believes others have reason to be concerned about. Fortunately most of
us have nothing to hide. We are more concerned about finding out about
what is hidden than trying to hide that which most people have no
interest in knowing.
Maybe its time that we turned our obsession with secretiveness into an
obsession with openness. Perhaps disasters kike 9/11 could not happen
if we did so?
>The USA denies it, but there is fairly solid evidence in Europe
>(UK especially) and Australia, that there is widespread -automatic-
>sorting through domestic and international telephone conversations --
>automatically checking *all* calls through major exchanges
>(not just calls from "suspects".) To the kind of people that set up
>such massive checking, encrypted calls *by definition* are
>"suspicious" and, if practical such calls should be broken and
>analyzed.
Yes. We agree that even if something can't be cracked in real time it
can be cracked. The interception of wireless messages which happens at
the physical layer and is equivalent to wire tapping CANNOT be
stopped.
What can be stopped is realtime listening to conversations by
employing VOIPsec and other powerful encryption techniques. A SIP
initiated call using IPSEC in a WPA environment works.
Read http://csrc.nist.gov/publications/ni...0-58-final.pdf
or maybe you should read about the British achievements at Bletchley
Park 60 years ago, which probably saved America's ass at Midway.
Encoded wireless transmissions are not new and there will probably
never be a way of making them 100% secure.
Remember that the vast majority of email sent across public networks,
even outwith VPN's, is not encrypted. Our reliance on the spoken
word is far less. (For example, President Reagan who said in a
wireless broadcast ....... "My fellow Americans, I'm pleased to tell
you today that I've signed legislation that will outlaw Russia
forever. We begin bombing in five minutes.")
Remember that the question we are trying to answer was concerned with
"practical" security, not the level of security that might be needed
to prevent the interception of thought processes as if in a "Matrix"
dreamworld.
In article <gs1df1pkvu6g3hq55tl0lqsm2f1eolrbm2@4ax.com>,
jnitron <jnitron-nospam@hotmail.com> wrote:
:Paranoia is the hallmark of somebody who has something to hide and he
:believes others have reason to be concerned about. Fortunately most of
:us have nothing to hide. We are more concerned about finding out about
:what is hidden than trying to hide that which most people have no
:interest in knowing.
Sigh, the old "Only people with something to hide mind widespread
surveillance" canard.
Do I have "something to hide" ? Yes and No: I publish my political
opinions under another one of my identities so that my employers
are free to ignore them. Does "Freedom of Opinion" exist? In theory,
yes, but so too exists the freedom of people with power to decide
to take a dislike to organizations which employ people who say
things that someone doesn't want to hear.
:Maybe its time that we turned our obsession with secretiveness into an
:obsession with openness. Perhaps disasters kike 9/11 could not happen
:if we did so?
Do Death Squads stop existing when it is discovered who does the
killing? No. Secrecy is only -one- of the themes in the songs Of
power.
A certain well-known country, a target of international terrorism,
objected strenously to the formation of the International Court of
Justice, and the country's price for dropping the resistance was
blanket immunity for its citizens before the court. Is that country
conveying that it has something to hide that is of greater value to it
then the protection gained by exposing terrorists in open courts?
--
The rule of thumb for speed is:
1. If it doesn't work then speed doesn't matter. -- Christian Bau
On Mon, 08 Aug 2005 00:35:53 +0100, jnitron
<jnitron-nospam@hotmail.com> wrote:
>My point exactly. If the caller is not the subject of attention, then
>security is irrelevant.
I'm sure all the law abiding citizens with government files of their
activities will be gratified to know that the government will not use
the information against them. I'm not the most law abiding citizen in
the US. I do keep skeletons in my closet. I do have some secrets
that I don't want anyone to know about. I also have a collection of
commercial secrets that are not for general consumption. I have
plenty to hide. Whether the evidence collecting is done by our
beloved government, by our trusted business associates, or by
professional informers, is not really important. It's why they find
it necessary to do so that bothers me. Don't blame the victim.
>Paranoia is the hallmark of somebody who has something to hide and he
>believes others have reason to be concerned about.
Ignorance is the hallmark of someone about to get hacked. Someone who
is informed of the mechanics of how privacy intrusions, wireless
sniffing, general hacking, and wireless-tap recordings are done, is
less likely to find themselves compromised than the ignorant. I'm not
suggesting that paranoia should be some type of security measure, but
awareness of exploits and techniques will often do more to prevent a
security breach than all the automagic IDS systems.
>Fortunately most of
>us have nothing to hide.
Oh? Could I trouble you for your bank ID, social security numbers,
birthdate, mother's maiden name, credit card numbers, collection of
passwords, and name of your mistress? Surely you don't think these
should be kept hidden.
>We are more concerned about finding out about
>what is hidden than trying to hide that which most people have no
>interest in knowing.
Well, the line between privacy and security is a thin and shifting
line. The recent example of where Googles president had his privacy
allegedly violated using his own Google search tools is a good example
of the moving line: http://money.cnn.com/2005/08/05/technology/google_cnet/
I have successfully horrified customers by digging through various web
sites for their past information. (It's also called "ego surfing").
Addresses and phone numbers are easy. Former employers can sometimes
be found. Old email addresses are fairly easy. Birthdays are spotty
but possible. Until recently, drivers license numbers, SSI numbers,
and some medical records were possible. Whether someone is interested
in this information really depends on what they have in mind to do
with it. Identity theft comes to mind. Depending upon circumstances,
the info itself can be quite damaging. For example, when I found a
customers birthday online, he was almost in a state of panic because
he was lying to his employer about his age.
>or maybe you should read about the British achievements at Bletchley
>Park 60 years ago, which probably saved America's ass at Midway.
>Encoded wireless transmissions are not new and there will probably
>never be a way of making them 100% secure.
Drivel. The US and British were not exchanging decrypts or technology
at that point in the war. While the British were well ahead of the US
on German ciphers, the US had been working for years on Japanese JN-25
ciphers at "station Hypo" in what much later became Arlington Hall.
The Midway decrypts came strictly from US codebreakers. See:
"Battle of Wits" by Stephen Budiansky
for details of the US efforts.
> http://www.amazon.com/exec/obidos/tg...51038?v=glance
>Remember that the vast majority of email sent across public networks,
>even outwith VPN's, is not encrypted.
Did you ever wonder why it's not encrypted? You could easily have
encrypted email and authenticated servers without much difficulty.
There are RFC's describing the techniques in detail. The problem is
that you lose anonymity in the process. It's impossible to encrypt
and authenticate without point a finger directly at the source of any
traffic. There are a large contingent of users that consider
anonymity equivalent to privacy and don't want to lose that for fear
of government or corporate reprisals. I consider this to be a real
fear and the major stumbling block preventing universal encryption.
>Our reliance on the spoken
>word is far less. (For example, President Reagan who said in a
>wireless broadcast ....... "My fellow Americans, I'm pleased to tell
>you today that I've signed legislation that will outlaw Russia
>forever. We begin bombing in five minutes.")
Reagan had quite a few better quotes: http://en.wikiquote.org/wiki/Ronald_Reagan
If you've every listened in to an analog cellular conversation (before
it was outlawed), you would wonder why anyone would even want to
listen to that junk. 99.9% of everything I heard was garbage. Yet,
when I yacked with a customer on the way to a server recovery, I
stupidly announced the root password to their servers. For the next
two weeks, someone was trying to break into their system using this
root password (which I changed on arrival because it was time, not
because I was paranoid).
>Remember that the question we are trying to answer was concerned with
>"practical" security, not the level of security that might be needed
>to prevent the interception of thought processes as if in a "Matrix"
>dreamworld.
The technology for doing that isn't here yet. I visualize a bad
science fiction movie, where the victim wears a metal helmet full of
wires, and where a rack full of hardware sucks the thoughts directly
from his brain. Not this week, but maybe in the near future.
>Paranoia is the hallmark of somebody who has something to hide and he
>believes others have reason to be concerned about.
Every time someone lays that tripe out; I ask them a simple question:
Do you shit/have sex/etc in public?
If you have nothing to hide...why not?
They usually start babbling about then...
--
A host is a host from coast to coast.................wb8foz@nrk.com
& no one will talk to a host that's close........[v].(301) 56-LINUX
Unless the host (that isn't close).........................pob 1433
is busy, hung or dead....................................20915-1433
In article <qnadf19mf4l5ge3jq233in1uiaocinuv85@4ax.com>,
Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
:On Mon, 08 Aug 2005 00:35:53 +0100, jnitron
:<jnitron-nospam@hotmail.com> wrote:
:>My point exactly. If the caller is not the subject of attention, then
:>security is irrelevant.
:I'm sure all the law abiding citizens with government files of their
:activities will be gratified to know that the government will not use
:the information against them.
Like the Denver Police "spy files" documented by the ACLU in Colorado...
:I have plenty to hide.
According to what I've read, most people do. Apparently there are
so many laws in the USA and Canada, that people unknowingly average
more than a dozen minor crimes per day, and a small number of what in
the US would be known as "felonies" [Canada doesn't have that
particular classification.]
See for example the following list of sexual "offences" in the USA
[I don't know how accurate it is]:
On Sun, 07 Aug 2005 18:39:38 -0700, Jeff Liebermann
<jeffl@comix.santa-cruz.ca.us> wrote:
>On Mon, 08 Aug 2005 00:35:53 +0100, jnitron
><jnitron-nospam@hotmail.com> wrote:
>
>>My point exactly. If the caller is not the subject of attention, then
>>security is irrelevant.
>
>I'm sure all the law abiding citizens with government files of their
>activities will be gratified to know that the government will not use
>the information against them.
Big brother is not yet completely concerned yet ( I believe) about
the trivial lives of the majority of its citizens, and what they
discuss in their VOIP conversations. Skeletons in your
cupboard?...sure, then don't discuss them on the phone. Would Reagan
have said what he did if he knew that the microphone was switched on?
>>Paranoia is the hallmark of somebody who has something to hide and he
>>believes others have reason to be concerned about.
>
>Ignorance is the hallmark of someone about to get hacked. Someone who
>is informed of the mechanics of how privacy intrusions, wireless
>sniffing, general hacking, and wireless-tap recordings are done, is
>less likely to find themselves compromised than the ignorant. I'm not
>suggesting that paranoia should be some type of security measure, but
>awareness of exploits and techniques will often do more to prevent a
>security breach than all the automagic IDS systems.
I would postulate that there are 2 doors most likely to be of interest
to the intruder. Both the open door and the heavily secured door
beckon infiltration. Ignorance may leave the door open while the
Paranoid will go for the latter. Awareness will encourage the use of a
sensible and practical level of security. Exactly half of us have
doors which are less secure than the average - I'm sure that it'd be
interesting to know if the majority of intrusions take place against
better or less well secured premises, or more importantly, from which
half of the spectrum is most value taken?
>>Fortunately most of
>>us have nothing to hide.
>
>Oh? Could I trouble you for your bank ID, social security numbers,
>birthdate, mother's maiden name, credit card numbers, collection of
>passwords, and name of your mistress? Surely you don't think these
>should be kept hidden.
So why would you discuss them in a VOIP call ? Remember security has 2
key purposes - to keep out, and to keep in. Why worry about keeping
out when it is simpler and much more secure to keep in
>>We are more concerned about finding out about
>>what is hidden than trying to hide that which most people have no
>>interest in knowing.
>
>Well, the line between privacy and security is a thin and shifting
>line. The recent example of where Googles president had his privacy
>allegedly violated using his own Google search tools is a good example
>of the moving line:
> http://money.cnn.com/2005/08/05/technology/google_cnet/
>I have successfully horrified customers by digging through various web
>sites for their past information. (It's also called "ego surfing").
>Addresses and phone numbers are easy. Former employers can sometimes
>be found. Old email addresses are fairly easy. Birthdays are spotty
>but possible. Until recently, drivers license numbers, SSI numbers,
>and some medical records were possible. Whether someone is interested
>in this information really depends on what they have in mind to do
>with it. Identity theft comes to mind. Depending upon circumstances,
>the info itself can be quite damaging. For example, when I found a
>customers birthday online, he was almost in a state of panic because
>he was lying to his employer about his age.
>
>>Read
>>http://csrc.nist.gov/publications/ni...0-58-final.pdf
>
>Good advice.
>
>>or maybe you should read about the British achievements at Bletchley
>>Park 60 years ago, which probably saved America's ass at Midway.
>>Encoded wireless transmissions are not new and there will probably
>>never be a way of making them 100% secure.
>
>Drivel. The US and British were not exchanging decrypts or technology
>at that point in the war. While the British were well ahead of the US
>on German ciphers, the US had been working for years on Japanese JN-25
>ciphers at "station Hypo" in what much later became Arlington Hall.
>The Midway decrypts came strictly from US codebreakers. See:
> "Battle of Wits" by Stephen Budiansky
>for details of the US efforts.
>> http://www.amazon.com/exec/obidos/tg...51038?v=glance
You will see in the following link and in other places that US /
British cooperation existed prior to the US entry into WWII. Also, and
contrary to the film, the British (not the Americans)
captured a 4 rotor Enigma machine from the submarine U110 http://www.guardian.co.uk/internatio...271027,00.html http://www.history.navy.mil/faqs/faq97-1.htm
Here's a good article about Enigma, if you're interested. http://en.wikipedia.org/wiki/Enigma_machine.
You'll note that the British designs for their code breaking equipment
(bombes) was made available after a US Navy visit to Bletchley Park
in July 1942.
JN25 was reportedly broken before Pearl Harbor by the Britosh at
Singapore where John Tiltman worked. Tiltman, who was born in London
on May 24, 1894, later worked at Bletchley Park. The Americans did
"break" JN25 but not untill many months later. http://www.fpp.co.uk/online/00/09/Codebreaking1.html
Considering that Bletchley Park operations were kept secret up to 1989
I doubt if the full level of collaborative effort has ever been fully
published. I would guess that John Tiltman's achievements were shared
by the Allies - and this should cast some reasonable doubt about who
was first. Like the majority of VOIP conversations - it really does
not matter anyway.
If there is any relevance in what I am speaking about it is this: that
if JN25 was understood at the time of Pearl Harbor and at Midway - the
outcome of each occasion was not affected by whether or not Japanese
messages were encrypted, but by whether or not they were sent (and
intercepted) in the first place. There is only one way to keep secrets
and that is not to tell them, as demonstrated by the documented
Japanese radio silence prior to Pearl Harbour.
Apologies for getting (slightly) off topic on this.
>>Remember that the vast majority of email sent across public networks,
>>even outwith VPN's, is not encrypted.
>
>Did you ever wonder why it's not encrypted? You could easily have
>encrypted email and authenticated servers without much difficulty.
>There are RFC's describing the techniques in detail. The problem is
>that you lose anonymity in the process. It's impossible to encrypt
>and authenticate without point a finger directly at the source of any
>traffic. There are a large contingent of users that consider
>anonymity equivalent to privacy and don't want to lose that for fear
>of government or corporate reprisals. I consider this to be a real
>fear and the major stumbling block preventing universal encryption.
I don't agree... its not encrypted because it mostly does not need to
be encrypted. Pre Shared Keys for example, make it possible to have a
message encrypted without the recipient (or anybody else) knowing
where the message originated. If you're fast enough you might just get
there in time to know who the recipient is. SMTP mail headers are
easily forged and anonymity is practically assured. If that is your
argument against email encryption - why bother to encrypt VOIP when
the only real identifier and prevention of anonymity is possibly voice
recognition (or sitting next to the people having the VOIP
converssation).
>>Our reliance on the spoken
>>word is far less. (For example, President Reagan who said in a
>>wireless broadcast ....... "My fellow Americans, I'm pleased to tell
>>you today that I've signed legislation that will outlaw Russia
>>forever. We begin bombing in five minutes.")
>
>Reagan had quite a few better quotes:
> http://en.wikiquote.org/wiki/Ronald_Reagan
>If you've every listened in to an analog cellular conversation (before
>it was outlawed), you would wonder why anyone would even want to
>listen to that junk. 99.9% of everything I heard was garbage. Yet,
>when I yacked with a customer on the way to a server recovery, I
>stupidly announced the root password to their servers. For the next
>two weeks, someone was trying to break into their system using this
>root password (which I changed on arrival because it was time, not
>because I was paranoid).
Again, it is clear that your convesation would have not needed to be
secured apart from the fact that you decided to inappropriately
disclose a secret. Tell me...if your converstion had been encrypted
would you still have felt the need to change the password? If you
would - what would the point have been in the encrytion? If you
wouldn't - would you have relied on the encryption to keep your
secret, or, would it have been better not to have told the password in
the first place? Or was it just luck that the timing of the password
change coincided with your disclosure.
How many times do we return to find that we'd forgotten to lock the
car (but nothing thankfully is missing). Would the car have been more
secure if we'd locked it? If yes, then only because of the probability
of an intrusion and not because of something evidenced by facts.
You'll know the story about the person who was fed up of having his
car broken into - so he left a note on the dash saying "nothing
valuable inside". When he returned to the car he found it broken into
with a note beside his, which read, "just checking".
>>Remember that the question we are trying to answer was concerned with
>>"practical" security, not the level of security that might be needed
>>to prevent the interception of thought processes as if in a "Matrix"
>>dreamworld.
>
>The technology for doing that isn't here yet. I visualize a bad
>science fiction movie, where the victim wears a metal helmet full of
>wires, and where a rack full of hardware sucks the thoughts directly
>from his brain. Not this week, but maybe in the near future.
>
>>Get real everybody !
>
>I am. It's called "crime-think".
So... why did you reveal the root password? Crime-think is not built
into VOIP phones and probably shouldn't need to be. The Eskimo story
earlier in this thread sums it up. While we should (and do)
acknowledge human imperfections, the answer is not in phone
technology, but in how we use it.
On Mon, 8 Aug 2005 03:13:08 +0000 (UTC), David Lesher
<wb8foz@panix.com> wrote:
>
>
>>Paranoia is the hallmark of somebody who has something to hide and he
>>believes others have reason to be concerned about.
>
>Every time someone lays that tripe out; I ask them a simple question:
>
> Do you shit/have sex/etc in public?
> If you have nothing to hide...why not?
>
>They usually start babbling about then...
There are some serious loopholes in your "simple" rhetorical question.
The first is that we are considering information here. There is a
difference between telling the public that you have sex or that you
defaecate, and actually demonstrating that functionality in a public
place.
Second, paranoia is being used to describe somebody who (ignoring the
psychiatric defenitions) in this instance is obsessed with hiding
information because he believes the information is more important than
it actually is. It seems that you are trying to describe somebody who
has nothing to hide, should be an exhibitionist, and is clearly
exactly the opposite.
Reactions to having feelings of "something to hide" and "having
nothing to hide" can certainly cause extreme behaviour. Walking
around with an M16 and "taking everybody out" who glances at you,
while you use your VOIP mobile might be a little more extreme than
deciding to have sex or defaecate in public - but both are at the ends
of the same spectrum (and both, fortunately, are frowned upon by the
law) If you can't tell why not?, then perhaps you should seek some
professional help.
Lastly, if you want to discuss sex and defaecation in a VOIP
conversation then that is up to you. I'm certain that you will not
need any encryption whatsoever to discourage others from listenning to
you, but if they did, I don't suppose it would matter a sh*t etc.
In article <fr4gf1t8e0hgoas17d8cpoiijj1ebnm1v9@4ax.com>,
jnitron <jnitron-nospam@hotmail.com> wrote:
:>>Paranoia is the hallmark of somebody who has something to hide and he
:>>believes others have reason to be concerned about.
:Second, paranoia is being used to describe somebody who (ignoring the
:psychiatric defenitions) in this instance is obsessed with hiding
:information because he believes the information is more important than
:it actually is.
Circular reasoning. When you were challenged on your statement
by people who were understanding it in terms of the usual definition
of "paranoia", you redefined "paranoia" to describe the
the symptoms which earlier you said were a "hallmark" of some people.
It's like saying, "Ferdnitz is the hallmark of people who frobitz",
and then "Ferdnitz is being used to describe people who obsessively
frobitz". How can you possibly be wrong, when you've redefined
the terms so that you are right by definition?
--
"I will speculate that [...] applications [...] could actually see a
performance boost for most users by going dual-core [...] because it
is running the adware and spyware that [...] are otherwise slowing
down the single CPU that user has today" -- Herb Sutter
On Tue, 09 Aug 2005 03:19:49 +0100, jnitron
<jnitron-nospam@hotmail.com> wrote:
>Big brother is not yet completely concerned yet ( I believe) about
>the trivial lives of the majority of its citizens, and what they
>discuss in their VOIP conversations.
You have inside knowledge of what Big Brother is interested in
collecting? Do you work for Big Brother?
>Skeletons in your
>cupboard?...sure, then don't discuss them on the phone.
Somehow, I thought that I had an expectation of privacy when talking
on the phone. I guess not. I'll appoint you official censor to
decide what I can safely discuss over the telephone.
>>Oh? Could I trouble you for your bank ID, social security numbers,
>>birthdate, mother's maiden name, credit card numbers, collection of
>>passwords, and name of your mistress? Surely you don't think these
>>should be kept hidden.
>
>So why would you discuss them in a VOIP call ?
OK, let's take them one at a time:
Bank ID: When someone rips off my credit card number and the bank
phones me to verify the purchase.
SSI number: Used to verify my identity when talking to my bank.
Birthdate: Used to verify various accounts (bank, cheque, credit).
Mother's maiden name: Also used to verify identity.
Password collection: Walking my customers through an email or account
setup.
Name of Mistress: Never mind.
Are these sufficient reasons to mention these over the phone?
>JN25 was reportedly broken before Pearl Harbor by the Britosh at
>Singapore where John Tiltman worked. Tiltman, who was born in London
>on May 24, 1894, later worked at Bletchley Park. The Americans did
>"break" JN25 but not untill many months later.
>http://www.fpp.co.uk/online/00/09/Codebreaking1.html
Thanks. I didn't know that the British had proceeded the Americans in
cracking JN-25. The book I previously noted did not include any
mention of British contributions to cracking JN-25.
>There is only one way to keep secrets
>and that is not to tell them, as demonstrated by the documented
>Japanese radio silence prior to Pearl Harbour.
That's not very practical for running a world wide military operation.
It might be possible to maintain radio or telephone silence for a
short period of time, for a single operation (Battle of the Bulge),
but to maintain any coordination with distant operations requires
radio and telephone communications. Similarly, if I want do business
these days, I have to use unencrypted email and unsecured telephones.
Using sealed letters might be an alternative, but would be very slow.
>>Did you ever wonder why it's not encrypted? You could easily have
>>encrypted email and authenticated servers without much difficulty.
>>There are RFC's describing the techniques in detail. The problem is
>>that you lose anonymity in the process. It's impossible to encrypt
>>and authenticate without point a finger directly at the source of any
>>traffic. There are a large contingent of users that consider
>>anonymity equivalent to privacy and don't want to lose that for fear
>>of government or corporate reprisals. I consider this to be a real
>>fear and the major stumbling block preventing universal encryption.
>I don't agree... its not encrypted because it mostly does not need to
>be encrypted.
Who are you to judge what does and does not require encryption? If a
link is deemed to be secure, then EVERYTHING going across that link
should be encrypted. Most of the traffic probably doesn't need to be
encrypted, but once the capabilities are present, encryption becomes
part of the definition of security and is therefore required for all
communications along that link.
>Pre Shared Keys for example, make it possible to have a
>message encrypted without the recipient (or anybody else) knowing
>where the message originated.
True. PGP also has an anonymous encryption feature. However, the
limitations of pre-shared keys are well known. The RFC's I mentioned
include authentication methods that are traceable back to the
originator. This is generally required to prevent spoofing. We could
create an encryption system without authentication, but if you also
want to prevent spoofing, identity theft, spam, and counterfeit
servers, authentication is required.
>... why bother to encrypt VOIP when
>the only real identifier and prevention of anonymity is possibly voice
>recognition (or sitting next to the people having the VOIP
>converssation).
I'm a fan of X.509 certificates and authentication. I want to know
that the other end of the conversation is my intended recipient, and
not a simulation generated by a computah. When I used to work at a
radio station, I did a fair job of impersonating various personalities
by engaging in a conversation using recorded sound clips.
>Again, it is clear that your convesation would have not needed to be
>secured apart from the fact that you decided to inappropriately
>disclose a secret.
Again, who are you to decide which of my conversations need securing
and which may be safely sent in the clear? Wouldn't it be better and
safer to encrypt everything rather than risk inadvertently blabbering
something inappropriate or confidential?
>Tell me...if your converstion had been encrypted
>would you still have felt the need to change the password?
Oh yes. I needed to remind the customer of the root password over the
phone because we needed to get the server up and running as quickly as
possible. Delays meant lost dollars. However, I made it a point of
changing the major passwords on such systems about every 3 months. It
was overdue and thought this would be a good time. Had I changed it
previously during at the regularly scheduled cycle, I would probably
*NOT* have changed it on arrival, and ended up getting hacked. I
guess I had good karma or something.
Had I known and trusted the encryption, I probably would have felt a
bit better about disclosing the password. However, knowing that most
cellular systems with encryption (i.e. CDMA) also have automated
wiretap facilities at the switch, methinks I would tend to treat the
circuit as unprotected.
>If you
>would - what would the point have been in the encrytion?
I don't. The only encryption I trust is end to end. Cellular
encryption is NOT end to end.
>If you
>wouldn't - would you have relied on the encryption to keep your
>secret, or, would it have been better not to have told the password in
>the first place?
You mean like relying on WEP128 wireless encryption when it's know to
be crackable by commonly available tools? That's a judgment call
based on the technology used. I'm familiar with CDMA encryption
(CAVE) and know some tricky ways it can be theoretically cracked.
It's also not encrypted between the cellular switch and the PSTN. I
don't have an simple answer for all types of voice/data links and
encryption methods. My general rule is lousy encryption is better
than none because it eliminates a large number of lazy and marginal
hackers from the playing field.
>Or was it just luck that the timing of the password
>change coincided with your disclosure.
Pure luck that I changed it on arrival. Sorry, it's not a perfect
example of the dangers of unencrypted voice traffic, but it's close
enough.
>How many times do we return to find that we'd forgotten to lock the
>car (but nothing thankfully is missing). Would the car have been more
>secure if we'd locked it? If yes, then only because of the probability
>of an intrusion and not because of something evidenced by facts.
We can play this one by the odds if you want. Chances are very small
that an individual VoIP convesation will get hacked. The chances are
sufficiently small that risking an un-encrypted conversation might be
an acceptable risk. However, it's no the odds, but the risks. Is the
risk of hacking worth the cost and overhead of encryption? Again, it
depends on the traffic and hardware.
>So... why did you reveal the root password?
To expedite a crash recovery while I drove like a maniac to the
customer's server farm.
>Crime-think is not built
>into VOIP phones and probably shouldn't need to be. The Eskimo story
>earlier in this thread sums it up. While we should (and do)
>acknowledge human imperfections, the answer is not in phone
>technology, but in how we use it.
A very poor answer methinks. By limiting my ability to exchange
secrets and confidential information via a medium that could be
private and secure, you'll limited the usability of that medium.
Whether this is a fair tradeoff depends on the costs of encryption and
the effects on usability.
> On Thu, 04 Aug 2005 02:23:01 -0800, floyd@apaflo.com (Floyd L. Davidson)
> wrote:
>
> >Do not ever say anything on a telephone that you cannot live
> >with seeing on the front page of tomorrow's local newspaper.
>
> This thread reminds me of the novel The Light of Other Days (Arthur C.
> Clarke and Stephen Baxter.)
Re: VOIP over Wi-Fi subject to eavesdropping? 
Linear Mode
