VOIP over Wi-Fi subject to eavesdropping? - PGP

This is a discussion on VOIP over Wi-Fi subject to eavesdropping? - PGP ; On Sun, 07 Aug 2005 07:48:48 GMT, David Taylor wrote: >> Consider that the WiFi eavesdropper also needs to be within reception >> range and his task becomes even more difficult. > >That's hardly a problem with a decent antenna. ...

+ Reply to Thread
Page 3 of 3 FirstFirst 1 2 3
Results 41 to 52 of 52

Thread: VOIP over Wi-Fi subject to eavesdropping?

  1. Re: VOIP over Wi-Fi subject to eavesdropping?

    On Sun, 07 Aug 2005 07:48:48 GMT, David Taylor
    wrote:

    >> Consider that the WiFi eavesdropper also needs to be within reception
    >> range and his task becomes even more difficult.

    >
    >That's hardly a problem with a decent antenna. People have been
    >sniffing round for open AP's for ages, similarly screwing up Bluetooth.
    >Maybe VoIP credit card detail hijacking is next. It's not that
    >difficult.


    Well, it's a bit more difficult that it appears. One of the problems
    I previously hinted is that in order to "wireless-tap" a VoIP
    conversation, it is necessary to hear both radios that are involved.
    Just listening to the access point only gives you half the
    conversation. The solution is to either position yourself in an ideal
    location, where both the AP and the client radio can be sniffed, or to
    use two sniffers. It's especially messy with point to point links,
    where there's often not enough RF at ground level to hear both sides
    from one location.

    If such sniffing is done with a single laptop, the antenna probably
    needs to be an omnidirection affair (to hear both sides). While a
    dish or panel might offer more gain to do this at a distance, the omni
    will require that the sniffer be located fairly close to the radios.
    However, for sniffing in a coffee shop, almost any antenna can be
    used.



    --
    Jeff Liebermann jeffl@comix.santa-cruz.ca.us
    150 Felker St #D http://www.LearnByDestroying.com
    Santa Cruz CA 95060 http://802.11junk.com
    AE6KS 831-336-2558

  2. Re: VOIP over Wi-Fi subject to eavesdropping?

    roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote:
    >The USA denies it, but there is fairly solid evidence in Europe
    >(UK especially) and Australia, that there is widespread -automatic-
    >sorting through domestic and international telephone conversations --
    >automatically checking *all* calls through major exchanges
    >(not just calls from "suspects".) To the kind of people that set up
    >such massive checking, encrypted calls *by definition* are
    >"suspicious" and, if practical such calls should be broken and
    >analyzed.


    I can't speak to what is done outside the US, but it is
    virtually a guaranteed thing that International calls are
    screened for key word recognition here. If you say the right
    thing, a human *will* listen to it.

    However, doing that for *all* calls is simply too large a
    project to even imagine. Hence I really doubt it is very common
    on domestic calls anywhere. (Which is not to say that it
    doesn't happen on some selectively small portion.)

    (Which brings to mind an interesting conversation I had with a
    pilot that used to work here in Barrow between gigs flying 747's
    in the Middle East for various outfits including the Kingdom of
    Saudi Arabia. He asked me one day if his phone might be tapped!
    I laughed at him, and said considering the places he goes and
    the company he keeps, it probably was. Then I asked him why he
    thought it might be, and was he making any international calls.
    He said something like, "Well, my son calls his wife who is
    currently in Indonesia. She's from China." I just about rolled
    off my chair onto the floor! And I told him to be *damned*
    careful how they phrase what they say.... He then told me a few
    stories about doing things like flying charters with Yasir
    Arafat on board. It causes quite a stir when a request for
    landing instructions includes an announcement that security
    will be needed...)

    --
    Floyd L. Davidson
    Ukpeagvik (Barrow, Alaska) floyd@apaflo.com

  3. Re: VOIP over Wi-Fi subject to eavesdropping?

    > Well, it's a bit more difficult that it appears. One of the problems
    > I previously hinted is that in order to "wireless-tap" a VoIP
    > conversation, it is necessary to hear both radios that are involved.


    What about if that's Joe at home using a wireless VoIP phone to his home
    AP? No other radio (as in phone) involved, just off to some SIP proxy
    through his phone service provider.

    David.

  4. Re: VOIP over Wi-Fi subject to eavesdropping?

    On Sun, 07 Aug 2005 17:10:37 GMT, David Taylor
    wrote:

    >> Well, it's a bit more difficult that it appears. One of the problems
    >> I previously hinted is that in order to "wireless-tap" a VoIP
    >> conversation, it is necessary to hear both radios that are involved.


    >What about if that's Joe at home using a wireless VoIP phone to his home
    >AP? No other radio (as in phone) involved, just off to some SIP proxy
    >through his phone service provider.
    >David.


    Same problem. Let's say the access point can be heard from the
    street. But the 802.11 VoIP handset is wandering all over the house.
    There's no problem hearing the return side of the conversation coming
    from the access point, but picking up the handset will be difficult.
    As soon as Joe Sixpack puts a few walls between himself and the
    sniffing antenna, the signal will be lost or full of reflections. You
    get to sniff only one side of the conversation.

    I know a sneaky way around this problem, but I don't wanna disclose
    any secrets.


    --
    Jeff Liebermann jeffl@comix.santa-cruz.ca.us
    150 Felker St #D http://www.LearnByDestroying.com
    Santa Cruz CA 95060 http://802.11junk.com
    AE6KS 831-336-2558

  5. Re: VOIP over Wi-Fi subject to eavesdropping?

    At about the time of 8/6/2005 6:02 AM, Phil Thompson stated the following:

    > On Sat, 06 Aug 2005 12:51:32 GMT, Daniel Rudy
    > wrote:
    >
    >
    >>The FBI recently had a demonstration where they broke 128bit WEP
    >>security inside of 5 minutes.

    >
    >
    > why were they wasting their time and your money on that. WPA etc were
    > invented precisely because WEP is known to be weak.
    >
    > Phil


    This was at a security conference. Plus, not all equipment can support WPA.

    --
    Daniel Rudy

    Email address has been encoded to reduce spam.
    Remove all numbers, then remove invalid, email, no, and spam to reply.

  6. Re: VOIP over Wi-Fi subject to eavesdropping?

    On Sun, 7 Aug 2005 15:33:41 +0000 (UTC), roberson@ibd.nrc-cnrc.gc.ca
    (Walter Roberson) wrote:

    >In article ,
    >jnitron wrote:
    >:But, lets's consider the qualifier, "all practical purposes".
    >
    >:What is the risk? If the contents of Fort Knox were housed in an old
    >:dusty anonymous warehouse, which nobody knew about, then it would be
    >:100% secure. Nobody would know about it so there would be no threat
    >:and no risk.
    >
    >Nope. Kids have a hobby around here: they wander around and
    >break into or set fire to old dusty buildings.
    >
    >"dusty anonymous" warehouses are also subject to "traffic analysis":
    >People enter and leave Fort Knox all the time, but people
    >mostly leave anonymous warehouses alone.


    My point exactly. If the caller is not the subject of attention, then
    security is irrelevant. Even the casual listener in a crowded barroom
    or sitting with a laptop in the corner of a fast food outlet will be
    no threat whatsoever - even if he finds the conversation to be
    "interesting".
    >
    >:If Steve's telephone conversations are similarly "dusty" and
    >:"anonymopus"... lets say boring, then likewise, they are practically
    >:secure because they will be of no interest to anyone, and even if
    >:somebody happenned to overhear, the conversation would need to be of
    >:interest to the eavesdropper to even begin to carry the threat of any
    >otential adverse consequence.
    >
    >Right. And "Echelon" is merely an organizational unit.


    Paranoia is the hallmark of somebody who has something to hide and he
    believes others have reason to be concerned about. Fortunately most of
    us have nothing to hide. We are more concerned about finding out about
    what is hidden than trying to hide that which most people have no
    interest in knowing.
    Maybe its time that we turned our obsession with secretiveness into an
    obsession with openness. Perhaps disasters kike 9/11 could not happen
    if we did so?

    >The USA denies it, but there is fairly solid evidence in Europe
    >(UK especially) and Australia, that there is widespread -automatic-
    >sorting through domestic and international telephone conversations --
    >automatically checking *all* calls through major exchanges
    >(not just calls from "suspects".) To the kind of people that set up
    >such massive checking, encrypted calls *by definition* are
    >"suspicious" and, if practical such calls should be broken and
    >analyzed.


    Yes. We agree that even if something can't be cracked in real time it
    can be cracked. The interception of wireless messages which happens at
    the physical layer and is equivalent to wire tapping CANNOT be
    stopped.
    What can be stopped is realtime listening to conversations by
    employing VOIPsec and other powerful encryption techniques. A SIP
    initiated call using IPSEC in a WPA environment works.
    Read
    http://csrc.nist.gov/publications/ni...0-58-final.pdf
    or maybe you should read about the British achievements at Bletchley
    Park 60 years ago, which probably saved America's ass at Midway.
    Encoded wireless transmissions are not new and there will probably
    never be a way of making them 100% secure.

    Remember that the vast majority of email sent across public networks,
    even outwith VPN's, is not encrypted. Our reliance on the spoken
    word is far less. (For example, President Reagan who said in a
    wireless broadcast ....... "My fellow Americans, I'm pleased to tell
    you today that I've signed legislation that will outlaw Russia
    forever. We begin bombing in five minutes.")

    Remember that the question we are trying to answer was concerned with
    "practical" security, not the level of security that might be needed
    to prevent the interception of thought processes as if in a "Matrix"
    dreamworld.

    Get real everybody !



  7. Re: VOIP over Wi-Fi subject to eavesdropping?

    In article ,
    jnitron wrote:
    :Paranoia is the hallmark of somebody who has something to hide and he
    :believes others have reason to be concerned about. Fortunately most of
    :us have nothing to hide. We are more concerned about finding out about
    :what is hidden than trying to hide that which most people have no
    :interest in knowing.

    Sigh, the old "Only people with something to hide mind widespread
    surveillance" canard.

    Do I have "something to hide" ? Yes and No: I publish my political
    opinions under another one of my identities so that my employers
    are free to ignore them. Does "Freedom of Opinion" exist? In theory,
    yes, but so too exists the freedom of people with power to decide
    to take a dislike to organizations which employ people who say
    things that someone doesn't want to hear.

    :Maybe its time that we turned our obsession with secretiveness into an
    bsession with openness. Perhaps disasters kike 9/11 could not happen
    :if we did so?

    Do Death Squads stop existing when it is discovered who does the
    killing? No. Secrecy is only -one- of the themes in the songs Of
    power.

    A certain well-known country, a target of international terrorism,
    objected strenously to the formation of the International Court of
    Justice, and the country's price for dropping the resistance was
    blanket immunity for its citizens before the court. Is that country
    conveying that it has something to hide that is of greater value to it
    then the protection gained by exposing terrorists in open courts?

    --
    The rule of thumb for speed is:

    1. If it doesn't work then speed doesn't matter. -- Christian Bau

  8. Re: VOIP over Wi-Fi subject to eavesdropping?



    >Paranoia is the hallmark of somebody who has something to hide and he
    >believes others have reason to be concerned about.


    Every time someone lays that tripe out; I ask them a simple question:

    Do you ****/have sex/etc in public?
    If you have nothing to hide...why not?

    They usually start babbling about then...

    --
    A host is a host from coast to coast.................wb8foz@nrk.com
    & no one will talk to a host that's close........[v].(301) 56-LINUX
    Unless the host (that isn't close).........................pob 1433
    is busy, hung or dead....................................20915-1433

  9. Re: VOIP over Wi-Fi subject to eavesdropping?

    On Mon, 8 Aug 2005 03:13:08 +0000 (UTC), David Lesher
    wrote:

    >
    >
    >>Paranoia is the hallmark of somebody who has something to hide and he
    >>believes others have reason to be concerned about.

    >
    >Every time someone lays that tripe out; I ask them a simple question:
    >
    > Do you ****/have sex/etc in public?
    > If you have nothing to hide...why not?
    >
    >They usually start babbling about then...


    There are some serious loopholes in your "simple" rhetorical question.

    The first is that we are considering information here. There is a
    difference between telling the public that you have sex or that you
    defaecate, and actually demonstrating that functionality in a public
    place.

    Second, paranoia is being used to describe somebody who (ignoring the
    psychiatric defenitions) in this instance is obsessed with hiding
    information because he believes the information is more important than
    it actually is. It seems that you are trying to describe somebody who
    has nothing to hide, should be an exhibitionist, and is clearly
    exactly the opposite.
    Reactions to having feelings of "something to hide" and "having
    nothing to hide" can certainly cause extreme behaviour. Walking
    around with an M16 and "taking everybody out" who glances at you,
    while you use your VOIP mobile might be a little more extreme than
    deciding to have sex or defaecate in public - but both are at the ends
    of the same spectrum (and both, fortunately, are frowned upon by the
    law) If you can't tell why not?, then perhaps you should seek some
    professional help.

    Lastly, if you want to discuss sex and defaecation in a VOIP
    conversation then that is up to you. I'm certain that you will not
    need any encryption whatsoever to discourage others from listenning to
    you, but if they did, I don't suppose it would matter a sh*t etc.

    I think you mentioned tripe somewhere....



  10. Re: VOIP over Wi-Fi subject to eavesdropping?

    In article ,
    jnitron wrote:

    :>>Paranoia is the hallmark of somebody who has something to hide and he
    :>>believes others have reason to be concerned about.

    :Second, paranoia is being used to describe somebody who (ignoring the
    sychiatric defenitions) in this instance is obsessed with hiding
    :information because he believes the information is more important than
    :it actually is.

    Circular reasoning. When you were challenged on your statement
    by people who were understanding it in terms of the usual definition
    of "paranoia", you redefined "paranoia" to describe the
    the symptoms which earlier you said were a "hallmark" of some people.

    It's like saying, "Ferdnitz is the hallmark of people who frobitz",
    and then "Ferdnitz is being used to describe people who obsessively
    frobitz". How can you possibly be wrong, when you've redefined
    the terms so that you are right by definition?
    --
    "I will speculate that [...] applications [...] could actually see a
    performance boost for most users by going dual-core [...] because it
    is running the adware and spyware that [...] are otherwise slowing
    down the single CPU that user has today" -- Herb Sutter

  11. Re: VOIP over Wi-Fi subject to eavesdropping?

    On Tue, 09 Aug 2005 03:19:49 +0100, jnitron
    wrote:

    >Big brother is not yet completely concerned yet ( I believe) about
    >the trivial lives of the majority of its citizens, and what they
    >discuss in their VOIP conversations.


    You have inside knowledge of what Big Brother is interested in
    collecting? Do you work for Big Brother?

    >Skeletons in your
    >cupboard?...sure, then don't discuss them on the phone.


    Somehow, I thought that I had an expectation of privacy when talking
    on the phone. I guess not. I'll appoint you official censor to
    decide what I can safely discuss over the telephone.

    >>Oh? Could I trouble you for your bank ID, social security numbers,
    >>birthdate, mother's maiden name, credit card numbers, collection of
    >>passwords, and name of your mistress? Surely you don't think these
    >>should be kept hidden.

    >
    >So why would you discuss them in a VOIP call ?


    OK, let's take them one at a time:
    Bank ID: When someone rips off my credit card number and the bank
    phones me to verify the purchase.
    SSI number: Used to verify my identity when talking to my bank.
    Birthdate: Used to verify various accounts (bank, cheque, credit).
    Mother's maiden name: Also used to verify identity.
    Password collection: Walking my customers through an email or account
    setup.
    Name of Mistress: Never mind.

    Are these sufficient reasons to mention these over the phone?

    >JN25 was reportedly broken before Pearl Harbor by the Britosh at
    >Singapore where John Tiltman worked. Tiltman, who was born in London
    >on May 24, 1894, later worked at Bletchley Park. The Americans did
    >"break" JN25 but not untill many months later.
    >http://www.fpp.co.uk/online/00/09/Codebreaking1.html


    Thanks. I didn't know that the British had proceeded the Americans in
    cracking JN-25. The book I previously noted did not include any
    mention of British contributions to cracking JN-25.

    >There is only one way to keep secrets
    >and that is not to tell them, as demonstrated by the documented
    >Japanese radio silence prior to Pearl Harbour.


    That's not very practical for running a world wide military operation.
    It might be possible to maintain radio or telephone silence for a
    short period of time, for a single operation (Battle of the Bulge),
    but to maintain any coordination with distant operations requires
    radio and telephone communications. Similarly, if I want do business
    these days, I have to use unencrypted email and unsecured telephones.
    Using sealed letters might be an alternative, but would be very slow.

    >>Did you ever wonder why it's not encrypted? You could easily have
    >>encrypted email and authenticated servers without much difficulty.
    >>There are RFC's describing the techniques in detail. The problem is
    >>that you lose anonymity in the process. It's impossible to encrypt
    >>and authenticate without point a finger directly at the source of any
    >>traffic. There are a large contingent of users that consider
    >>anonymity equivalent to privacy and don't want to lose that for fear
    >>of government or corporate reprisals. I consider this to be a real
    >>fear and the major stumbling block preventing universal encryption.


    >I don't agree... its not encrypted because it mostly does not need to
    >be encrypted.


    Who are you to judge what does and does not require encryption? If a
    link is deemed to be secure, then EVERYTHING going across that link
    should be encrypted. Most of the traffic probably doesn't need to be
    encrypted, but once the capabilities are present, encryption becomes
    part of the definition of security and is therefore required for all
    communications along that link.

    >Pre Shared Keys for example, make it possible to have a
    >message encrypted without the recipient (or anybody else) knowing
    >where the message originated.


    True. PGP also has an anonymous encryption feature. However, the
    limitations of pre-shared keys are well known. The RFC's I mentioned
    include authentication methods that are traceable back to the
    originator. This is generally required to prevent spoofing. We could
    create an encryption system without authentication, but if you also
    want to prevent spoofing, identity theft, spam, and counterfeit
    servers, authentication is required.

    >... why bother to encrypt VOIP when
    >the only real identifier and prevention of anonymity is possibly voice
    >recognition (or sitting next to the people having the VOIP
    >converssation).


    I'm a fan of X.509 certificates and authentication. I want to know
    that the other end of the conversation is my intended recipient, and
    not a simulation generated by a computah. When I used to work at a
    radio station, I did a fair job of impersonating various personalities
    by engaging in a conversation using recorded sound clips.

    >Again, it is clear that your convesation would have not needed to be
    >secured apart from the fact that you decided to inappropriately
    >disclose a secret.


    Again, who are you to decide which of my conversations need securing
    and which may be safely sent in the clear? Wouldn't it be better and
    safer to encrypt everything rather than risk inadvertently blabbering
    something inappropriate or confidential?

    >Tell me...if your converstion had been encrypted
    >would you still have felt the need to change the password?


    Oh yes. I needed to remind the customer of the root password over the
    phone because we needed to get the server up and running as quickly as
    possible. Delays meant lost dollars. However, I made it a point of
    changing the major passwords on such systems about every 3 months. It
    was overdue and thought this would be a good time. Had I changed it
    previously during at the regularly scheduled cycle, I would probably
    *NOT* have changed it on arrival, and ended up getting hacked. I
    guess I had good karma or something.

    Had I known and trusted the encryption, I probably would have felt a
    bit better about disclosing the password. However, knowing that most
    cellular systems with encryption (i.e. CDMA) also have automated
    wiretap facilities at the switch, methinks I would tend to treat the
    circuit as unprotected.

    >If you
    >would - what would the point have been in the encrytion?


    I don't. The only encryption I trust is end to end. Cellular
    encryption is NOT end to end.

    >If you
    >wouldn't - would you have relied on the encryption to keep your
    >secret, or, would it have been better not to have told the password in
    >the first place?


    You mean like relying on WEP128 wireless encryption when it's know to
    be crackable by commonly available tools? That's a judgment call
    based on the technology used. I'm familiar with CDMA encryption
    (CAVE) and know some tricky ways it can be theoretically cracked.
    It's also not encrypted between the cellular switch and the PSTN. I
    don't have an simple answer for all types of voice/data links and
    encryption methods. My general rule is lousy encryption is better
    than none because it eliminates a large number of lazy and marginal
    hackers from the playing field.

    >Or was it just luck that the timing of the password
    >change coincided with your disclosure.


    Pure luck that I changed it on arrival. Sorry, it's not a perfect
    example of the dangers of unencrypted voice traffic, but it's close
    enough.

    >How many times do we return to find that we'd forgotten to lock the
    >car (but nothing thankfully is missing). Would the car have been more
    >secure if we'd locked it? If yes, then only because of the probability
    >of an intrusion and not because of something evidenced by facts.


    We can play this one by the odds if you want. Chances are very small
    that an individual VoIP convesation will get hacked. The chances are
    sufficiently small that risking an un-encrypted conversation might be
    an acceptable risk. However, it's no the odds, but the risks. Is the
    risk of hacking worth the cost and overhead of encryption? Again, it
    depends on the traffic and hardware.

    >So... why did you reveal the root password?


    To expedite a crash recovery while I drove like a maniac to the
    customer's server farm.

    >Crime-think is not built
    >into VOIP phones and probably shouldn't need to be. The Eskimo story
    >earlier in this thread sums it up. While we should (and do)
    >acknowledge human imperfections, the answer is not in phone
    >technology, but in how we use it.


    A very poor answer methinks. By limiting my ability to exchange
    secrets and confidential information via a medium that could be
    private and secure, you'll limited the usability of that medium.
    Whether this is a fair tradeoff depends on the costs of encryption and
    the effects on usability.


    --
    # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
    # 831.336.2558 voice http://www.LearnByDestroying.com
    # http://802.11junk.com
    # jeffl@comix.santa-cruz.ca.us
    # jeffl@cruzio.com AE6KS

  12. Re: VOIP over Wi-Fi subject to eavesdropping?

    CyberDroog wrote:

    > On Thu, 04 Aug 2005 02:23:01 -0800, floyd@apaflo.com (Floyd L. Davidson)
    > wrote:
    >
    > >Do not ever say anything on a telephone that you cannot live
    > >with seeing on the front page of tomorrow's local newspaper.

    >
    > This thread reminds me of the novel The Light of Other Days (Arthur C.
    > Clarke and Stephen Baxter.)


    http://technovelgy.com/ct/content.asp?Bnum=692

    <http://www.scifi.com/scifiction/clas.../shaw/shaw1.ht
    ml>

    --

    Peter

+ Reply to Thread
Page 3 of 3 FirstFirst 1 2 3