Zimmermann, Encrypted VoIP, and Uncle Sam

An anonymous reader noted that Phillip Zimmermann and his VoIP encryption software are the subject of a NY Times article today. The article touches on the FCC, privacy, and related issues. Given all the suspicious behavior of the Bush Administration relating to wiretaps and phone records, this sort of thing is all the more important to be very aware of.

Brave New World

[TripMaster Monkey]

From another NYTimes article, Bush Aide Defends Eavesdropping on Phone Calls [nytimes.com](emphasis mine):

President Bush's national security adviser, Stephen J. Hadley, insisted today that a newly disclosed government effort to compile data on millions of telephone calls in search of terrorist-linked calling patterns was a legal and "narrowly designed program" that did not involve listening to individual calls.

So why exactly is the government getting their knickers in a twist over Zfone? After all, the program is just intended to compile a database of call information, not actually listen to the content of the conversations. Doing that, as the administration has repeatedly told us, would require a court order.

So if you have a person you suspect from the numbers he's connected with, and you do obtain that court order, and it turns out he's using Zfone, there are other ways of getting the content of that conversation (hint: it has to be unencrypted at some point, so the 'terrorists' can understand each other). Arduous, sure, but since this will be done on only a select few, it's not that much of a hardship.

No, the reason the government doesn't like Zfone is because they want perform blanket surveillance on all American citizens; to listen to all our calls, all the time. By utilizing speech-recognition software and an ever growing list of suspect words and phrases, they will be able to keep tabs on the unruly U.S. population, weeding out terrorists, political dissidents, environmentalists, Democrats, and other 'undesirables'.

Re:Brave New World

[Penguinisto]

"After all, the program is just intended to compile a database of call information, not actually listen to the content of the conversations. Doing that, as the administration has repeatedly told us, would require a court order."

Because someday the FBI (or whoever) may find it harder to listen in on these encrypted conversations in cases where they have a court order to do so.

/P

MOD PARENT UP

[ZachPruckowski]

Very true. But whenever technology gets involved in a discussion, people's eyes sort of glaze over. No one knows what's going on, they just hear Internet phone calls, terrorism, and encryption. While you and I know that anyone intercepting a packet (encrypted or not) can tell where it came from and where it's going, America doesn't. They probably think it's an effort at parity between VOIP and normal phone calls (if they know what VOIP is).

same reason we keep the curtains drawn @ home?

[Penguinisto]

"why would people with nothing to hide want to encrypt their conversations."

For the same reason I keep the curtains drawn in my bedroom windows at night, esp. when the s/o gets frisky.

Just because me and my s/o's bedroom activities are perfectly legal doesn't mean I want everyone else (let alone the government) monitoring it.

/P

Re:Brave New World

[TripMaster Monkey]

As I said in my previous post, there are other ways of getting the content of a conversation. Since the content must be decrypted at either end, listening devices positioned at either endpoint are easily capable of intercepting the communication, encrypted or not.

As I said, this is arduous...much harder than just listening to a line, but eavsedropping on American conversations shouldn't be easy. If the FBI (or whoever) is serious enough about capturing the content of a particular communication to obtain a court order, it's not asking that much more that they work around any encryption present.

The difference here is that while agencies could continue to listen to targeted communications by these methods, the logistics of applying them to blanket surveillance are completely unworkable, offering us some measure of protection from a wholesale violation of our privacy by the government. This is precisely why the government is against encryption...not because it would make individual cases harder, but because it would make blanket surveillance impossible.

Re:Brave New World

[Tackhead]

> No, the reason the government doesn't like Zfone is because they want perform blanket surveillance on all American citizens; to listen to all our calls, all the time. By utilizing speech-recognition software and an ever growing list of suspect words and phrases, they will be able to keep tabs on the unruly U.S. population, weeding out terrorists, political dissidents, environmentalists, Democrats, and other 'undesirables'.

From an old .sig quote:

NSA is now funding research not only in cryptography, but in all areas of advanced mathematics. If you'd like a circular describing these new research opportunities, just pick up your phone, call your mother, and ask for one.

...and to cut down on the costs of their recruitment budgets!

Considering that most of the parents of new postdoctorate-level mathematicians probably live overseas nowadays (and whose conversations are therefore legal to record), maybe the old .sig quote was always more true than funny.

Re:Brave New World

[TripMaster Monkey]

You can oppose anything by invoking the worst possible scenario consequences.

Worst-case scenario, huh? [abcnews.com]

Your 'worst-case scenarios' are happening.

Right now.

Get your head out of the sand.

Re:Brave New World

[Valar]

What's really scary about that are the number of posts on that page that are basically 'Good, you don't agree with our favorite policies, so you shouldn't have any rights.' or 'If you aren't with the president, then you're with the enemy, so of course you're gonna get wiretapped.' This is coming from so-called conservatives. Way to defend the constitution guys. Good hustle.

Terrorists!

[homebrewmike]

Terrorists are already using encryption to protect their privacy. Don't you think you should as well?

Re:Brave New World

[Penguinisto]

"As I said, this is arduous...much harder than just listening to a line, but eavsedropping on American conversations shouldn't be easy."

Maybe, maybe not... but then, there are times when time is of the essence, and even the time taken to decrypt something the hard way in a timely manner is of utmost importance if there are potential lives at stake. The world's first electronic computer, Colossus, was built to decrypt German encryption during WW2, and was specifically built to be as fast and efficient as possible, because timely intelligence = lives saved.

While I doubt that decrypting a phone conversation nowadays usually isn;t exactly what one would call an urgent thing, there may be times where it is.

/P

Re:Didn't read the tech specs ...

[gclef]

If he's still using the system he presented last summer at BlackHat, he's actually doing something rather clever:

The system does a standard Diffie-Hellman key exchange between the two softphones, and hashes that exchange to words that each caller is supposed to read to the other (you see what they're supposed to say, and they see what you're supposed to say). So, unless the man-in-the-middle can also impersonate your voice, MITM'ing the connection is very difficult.

Also, the hashes used to generate that vocal exchange are stored for each destination you call for every call, and fed into the new hash generation. So, even if you skip a round of comparing the hashes, if you do it for a later call & it works, you can be assured that the *previous* call was also clean.

Offtopic: on the subject of Bush criticism:

[PFI_Optix]

Before you launch into yet another tirade against the president, bear in mind that our divided Congress consistently allows things like this. This isn't a Bush thing or a Republican thing. This is a beaurocratic, ivory tower, professional politician thing. This happens because we elect the very wealthy from both parties, so that the majority of our elective government has very little connection with their constituents. We create political dynasties, voting for celebrities rather than leaders. Our current political situation isn't due to one man or one party, but rather one entire nation ignoring its own wellbeing in favor of the candidate with the best sound-bites and the stiffest hair. We might as well be getting our political news from E!: who cares how they voted, let's find out which congressman is cheating on his wife this week and what Hillary wore to session today.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:nothing to hide

[Ripley]

why would people with nothing to hide want to encrypt their conversations.

From "The Eternal Value of Privacy" by Bruce Schneier in Wired (http://www.wired.com/news/columns/0,70886-0.html? tw=wn_index_23)

"... accept the premise that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect."

What can we do?

[Peter Trepan]

Free minds. The greatest chilling effect of universal surveillance doesn't come from men in black vans. It comes from being unveiled as a Commie, or an Islamic Sympathizer, or even A Guy Who Googled for "Fatties" in front of your friends/employers/relatives/whatever. The greatest force against freedom in our society is us.

Not one of Sen. McCarthy's victims was actually thrown in a gulag. Think about that. They weren't fired by the government. They were fired by PHBs who acted in blind sympathy with loudmouthed bureaucrats. There would have been no McCarthyism if the public had not been willing to punish itself for unpopular thought and/or speech.

We need a society in which there's no difference between what's illegal and what harms others, and holds all other things not only legal, but acceptable. Once we have that society, people who have done nothing to harm others really will have little to fear. But there's one more thing: If we're going to use public safety as an excuse for universal surveillance, we have to give the power of surveillance to everyone, not just government.

Privacy advocates might cringe at that last statment, but consider this: People are getting more wired, surveillance is getting easier and cheaper, and that trend may never reverse. There may be nothing we can do to stop privacy from dying. Maybe we should start thinking about what we're going to do when it does.

Freedom is not safe or pretty.

[khasim]

The world's first electronic computer, Colossus, was built to decrypt German encryption during WW2, and was specifically built to be as fast and efficient as possible, because timely intelligence = lives saved.

That's nice. But being at war with a country is different than spying on your own citizens.

While I doubt that decrypting a phone conversation nowadays usually isn;t exactly what one would call an urgent thing, there may be times where it is.

There may be.

The problem is, far Far FAR FAR more often it is not.

But it is ALWAYS subject to abuse.

Being Free means that we accept the risk that the "bad guys" will abuse that Freedom to hurt/kill some of our citizens.

But they will never defeat us. Only we can do that by surrendering our Freedom for the illusion of "safety".

Re:Cryptome

[phoenix.bam!]

You sir, are a hero. Thank you for your work.

Re:Cryptome

[SEAL]

Then why do you insist on having people register in order to download, instead of providing a simple link?

For better or worse, people interested in this type of technology also have a vested interest in anonymity.

Re:Brave New World

[TripMaster Monkey]

Maybe, maybe not... but then, there are times when time is of the essence, and even the time taken to decrypt something the hard way in a timely manner is of utmost importance if there are potential lives at stake.

I'm sorry, but that argument just doesn't hold water. Your statement is analagous to saying that clothing must be outlawed, since clothing can conceiveably be used to conceal weapons. Frisking certain suspect individuals simply isn't good enough, since locating the weapons in a timely manner is of utmost importance (if there are potential lives at stake).

To continue the analogy, if the suspicion is targeted, frisking works just fine, and works without violating the privacy of innocent citizens. If the suspicion is not targeted, however, frisking everyone is a logistical impossibility, so the outlawing of clothing is the only option.

(And yes, I know my analogy is somewhat flawed, since x-rays can locate some weapons without the need for disrobing, but my point is still valid).

The mere possibility of the interception and decryption of a suspect communication taking too long to save lives is not enough to justify the wholesale violation of the privacy of the citizenry (at least, it shouldn't be in America...).

Evil Republicans!!

[g_adams27]

> By utilizing speech-recognition software and an ever growing list of suspect words and phrases,
> they will be able to keep tabs on the unruly U.S. population, weeding out terrorists,
> political dissidents, environmentalists, Democrats, and other 'undesirables'.

Those evil Republicans! Except, wait... wasn't it the Clinton Administration that launched a 3-year criminal investigation of Phil Zimmerman in 1993?

And wasn't that the same President who championed the Clipper chip, so the government would have the keys it needed to decrypt your phone calls?

US doesn't really want to find Bin Laden...

[fahrbot-bot]

They can't find Bin Laden with all the military might...

I contend that they can find Bin Laden, but don't really want to. The minute he's captured, any (remaining) support for continuing the "War On Terror" goes right out the window. As long as he's out there, the administration can yell "9/11" to justify anything they want and the sheeple will buy it.

Flame me if you want, but the Bush Administration is EVIL. I'm not saying that Bush himself is evil (he's not that smart), but his policies and cronies - you know it baby.

Only a Terrorist Wants to be Free!

[Il128]

Sorry but the idea that we all have to give up our freedom to be safe and free is just beyond stupid.

Re:A band-aid over a Sucking Wound

[Lord Ender]

If your key is long enough, #3 would require super-computers larger than The Sun. No government is as powerful as exponential growth :-)

You should study crypto before posting.

Re:Haha

[Moofie]

"Is the government enforcing a law that terrifying to you?"

Depends on the law. A substantial fraction of the recent ones are, in fact, pretty terrifying.

Re:nothing to hide

[Dunbal]

why would people with nothing to hide want to encrypt their conversations.

      Because it's none of your fucking business that's why

Re:Freedom is not safe or pretty.

[Penguinisto]

"That's nice. But being at war with a country is different than spying on your own citizens."

I'm very sure that both the UK and the United States during WW2 were very busy searching for saboteurs and pro-nazi sympathizers within their respective citizenry, and used quite an array of wiretapping and other techniques to do so.

"The problem is, far Far FAR FAR more often it is not."

Agreed, but it is still there. Another semi-related factor is that encrypted conversations are more likely to attract attention than non-encrypted ones, no?

"But it is ALWAYS subject to abuse."

So are the FLIR heat-sensing cameras that most police helicopters come equipped with nowadays, and have carried since the mid-90's if memory serves. Those can see through quite a few obstacles that can otherwise conceal. That isn't a very valid excuse to intentionally hobble law enforcement authorities. If an authority is being abusive, we have the means and the right -- no, the duty -- to remove such people from positions of power, and punish them if necessary.

"Being Free means that we accept the risk that the "bad guys" will abuse that Freedom to hurt/kill some of our citizens."

Being 'Free' means that occasionally it may happen, not that we should refuse to prevent it from happening.

"Only we can do that by surrendering our Freedom for the illusion of "safety".

Freedom from ...? Ever since the first Telegraph was put into place, governments can and have monitored them whenever they deemed it necessary. There are plenty of perfectly legal warrantless means of doing so. ...and it's not just me saying this [securityfocus.com].

/P

Re:nothing to hide

[Moofie]

So, you don't use envelopes for mail either, do you?

You're right - I used too much hyperbole.

[Peter Trepan]

You're right - my post was an oversimplification. Talking loudly in a movie theater steps on the toes of other moviegoers, and you should be able to snark at those people without having them arrested. I guess my point was that "your freedom ends where my nose begins," is a system that works better when people are less nose-y.

Gay marriage is a perfect example. When this subject comes up, people turn out in droves to vote against other people's freedom. And then they complain when the majority votes to outlaw their rifle collection, or to make their smoking habit ruinously expensive, not realizing that by voting to manage someone else's behavior, they've just legitimized society's power to manage theirs.

And that gets back into the power of law, but the same principles apply to what people accept or don't accept in each other. If I establish that it's okay for me to fire someone purely for being gay/Commie/whatever, then I've also established that it's okay for you to fire me for being ugly/Democrat/whatever.

Re:Misplaced paranoia

[ObsessiveMathsFreak]

If you need more convincing, go to my Zfone FAQ page (http://philzimmermann.com/EN/zfone/index-faq.html ) where I address this particular question in great detail.

From TFL:

The Zfone registration page checks your IP address against the list of embargoed countries, then emails you a link that you must click on to start your download, and checks your IP address again when you follow that link, which presumably means you did not receive your email in an embargoed country, and that the download itself did not go to an embargoed country. It shows we made our best efforts to comply with U.S. export laws.

Your going to a lot of trouble for just about no gain at all. This system can and probably does not in any substantive way impede anyone from a blacklisted nation from downloading the software. It only alienates people who are casually interested, i.e. your main user base.

I can understand your situation. You're in a country where it is effectively illegal to publish online any piece of software that contains even the most basic of encryption algorithims. The situation is of course ludacrious, as such algorithims have long been in the public domain, at least as far as knowladge is concerned.

The purpose of the law of course, is not to prevent the export of encryption to forgein countries. They already have these algorithims. Nor is it to prevent access to the terrorist boegyman. They either don't use it, or can easily get access to encryption.

No. The purpose of the law is to hang the sword of damocles over the head of anyone who wants to bring safe and secure communication to the masses. The government doesn't want the masses to encrypt their traffic, and they use this law to impede the distrobution of your software and others like it.

I think you need to give up the ghost here. If your government wants to shut you down. they will, regardless of how much you try to comply with export restrictions it will never be good enough. I think you need to stop playing by rules where you can't possibly win and simply go all out in an effort to get as many people using zfone as possible. All out. Unrestricted downloads, ease of use, ad campaign, browser plugins, whatever. Just do anything to get as many people using encrypted VOIP as you possibly can, because until then, your software will remain one the fringe where it's easier to shut down.

If everyone and the Senator's daughter is using secure VOIP, it's only then that people will realise they have somthing to lose, and you'll have a better defense. Before that everyone who uses SVOIP is "aiding terrorism", not protecting people's privacy. Until Aunt Tillie is using your software, this angle can and will be played. You should do everything to get her onside ASAP.

Re:They give you the list

[hughk]

The OFAC list is seriously fscked as it is orientated purely around latin representations of names. From many languages (i.e., Arabic, Cyrillic) there are multiple latin transliterations. The data is usually of dubious provenance and there may be discrepancies between the same entity listed in two diffent places.

Re:US doesn't really want to find Bin Laden...

[fahrbot-bot]

I contend that you could understand the situation if you wanted to, but you're just to lazy to do more than bitch from the safety of your armchair.

I understand things just fine, but I don't believe the general population does. In addition, I do my part by doing my job.

Even if we were to capture ben [sic] laden, enough of his organiziation is bound to be left around the world to guarantee that the repressive policies that have come since 9/11 are going to continue.

Agreed, but the administration has expended a lot of political capital pointing the finger directly at Bin Laden. If he were imprisioned, they'd have to convince the people all over again that the security procedures (e.g., domestic spying) are warranted.

I don't like it any more than you appear to, but I don't see any way back to an open trusting society the way it supposedly "used to be".

Well, we could simply roll things back. I mean really, do the airport security procedures actually make us significantly safer? (Profiling would probably work better.) Does the "no fly list" really help (ask Ted Kennedy)?

Terror isn't their only goal. Turning the U.S. into a police state would make them almost as happy. Destroying our way of life destroys who we are as a nation. Ask John Gilmore, "papers please?", ask ABC reporters what Gonzalas thinks about the 1st amendment, etc...

Sorry, perhaps I need some more coffee (or less)...

P.S. Your sig is right on.