Something bothers me about the recent spate of crypto voice news - it looks like we have bungled the threat model, yet again. Do we never learn?
For some reason phone tapping, VoIP and the like is much in the news, and a couple of references have been spotted to suggestions that we should rise to defend that space. Firstly over at the cryptography list, where all are agog about wiretapping in Greece, secondly in many articles to-ing and fro-ing over zFone and Skype (go guys!) and now a more serious call from Bruce Schneier in Wired:
"This is why encryption for VOIP is so important. VOIP calls are vulnerable to a variety of threats that traditional telephone calls are not. Encryption is one of the essential security technologies for computer data, and it will go a long way toward securing VOIP."
I'm all for it! But the repeated references to encryption have that earthly Douglas Adams feel to them - somewhere between "mostly harmless" and downright dangerous through systemic underestimation.
We all love encryption. But when it comes down to it, encrypting the voice channel is such a small part of the equation that I wonder why the fuss? Is it because we all get that wonderful geeky buzz when we shove 256 bits of full blooded AES right back up the NSA's pipe? Smoke that, spook!
I think that's a lot to do with it. And I wouldn't want to ruin anyone's fun - coz crypto should be fun - but while all the cryptographers are dancing around counting bits on a pinhead, they are in danger of missing the real threat.
No, I'll go further than that. We, they, me, all of us - the whole Internet security community - has actually missed the threat. Quite possibly by a decade or so.
The real threat is tracking.
Why is this? Lots of reasons, but unfortunately they are ho-hum, low tech, under the radar reasons. Not things that the geeks can get addicted to, not ones that give them a buzz. Nothing you can write about in Wired, or in cryptography lists, or the popular journalism of the security press, I suppose.
Still, let's give it a shot and see if we can't save the voice threat model before it follows its predecessors into a decade of confusion, waste, and endless laugh value for the attackers. There are a number of ways of looking at this. I'm not shy, I'll try them all.
Consider GSM, as a great forerunner to encrypted VoIP. It uses something like a 40-bit crypto algorithm that's as weak as water. After cryptoplumber Lucky Green reverse-engineered it out of the chips in a 3 month marathon hacking effort, cryptobuddies Dave and Iang (the other one) cracked the actual algorithm in an afternoon. By the time that was done, GSM as a cryptosystem was just so many bits strewn across the floor, or at least the standard version of A5 was. The journalists loved it!
Or so it seems. In fact, the security model was still good! GSM was unchallenged because Lucky and friends weren't in GSM's threat model - the papparazzi and the phone spoofers were the threat and those scum still have some deal of trouble making their attack.
Meanwhile, the GSM juggernaut rumbled on, untroubled. We are now in a Europe where there are as many phones as people - everyone but everyone has one, and every Finn has two. (And they're all encrypted - Yoo Hoo! Plus, if you have one of those supercool cryptophones, they are doubly encrypted at 256+256 volts .. er .. bits!)
The Americans aren't that far behind, with the slight notable exception of having many different systems. Asian and Latino cultures show no real slackening in cellphone worship either, probably because the lack of good copper systems overcame any braking effect of lower incomes.
Now, consider the facts. That is, the facts that are extracted from tracking versus the facts that are extracted from wiretapping. The facts we can get from tracking are hard - when, where, with whom. They look good in a database, they cross-correlate, they datamine, they stand in court. Indeed, all of society's investigative, dispute and judicial processes are based on these sorts of facts, so the new technology of person tracking fits in well with the old ways of doing things.
In contrast consider the facts in a voice conversation. They are hard to put in a database (so forget about datamining), they consume racks and racks of data storage, they have to be searched for quality, and when it comes down to it, they are pretty darn soft - recordings of voice don't stand well in court. Ludicrously, there seems to be research that suggests that use of wiretaps correlates negatively with conviction rates.
So we have this little thing in our pocket - all of us - and it's trackable. It generates a quality set of facts. All the time, whenever it's powered on. Which leaves one question only - are the facts available?
Nominally, most governments and telcos will say that such data are not available. But evidence is starting to suggest another picture. I have it on reasonable but anecdotal authority that the police in a few countries in Europe have full access to GSM tracking - at the tower. The developments in the US would suggest that the NSA isn't that far behind, unless they are already there (there's that silly story about machines collecting data not being against the rules -- what to make of that? -- well, the story is there and repeated by the spooks, so they must be saying it for a reason . . .). And, plans proceed afoot to integrate this data-that's-not-illegal across the usual suspects, the TLAs.
Here's one anecdote I might have heard. Police - your ordinary plod - can pick you up off the streets, like at a demonstration or something, and show you on TV in the vicinity of other demonstrations ... other months ... other places ... with other people ... using public surveillance cameras.
Now, how could they have correlated all that information? Perhaps they were using a blue tooth rifle on your iPod? Maybe the police are tracking the RFIDs in your clothing?
Nah - the only systems approach that makes sense is that they are datamining the tower hand-off records. How this works we leave as an exercise to the victim.
This all would have been fine and dandy 20-30 years ago when governments in the west were a bit better behaved. But these days, suppression of civil liberties, tracking the naysayers, secret databases and so forth is all the rage (much to the chagrin of the newly liberated eastern european peoples. "What, we got rid of communism . . . for this?").
As it all seems to be happening in secrecy, and as there are therefore no safeguards in place, this is a valid threat. If your local police can track you, they can also blackmail you. Even before we get to dishonest police, there are the telcos.
Here's how this this threat evolves. First, they say they don't collect the data. Then they say they don't use it, except for engineering purposes. Then, they say that there are safeguards. Then, they say they don't supply it outside the company. Then, they sell it.
Your power in anonymity is stripped away by the secret availability of such tracking databases. We the people have no clue how this information is being used - and likely the first time we find out is when we can buy it ourselves to start spying on our spouses. (oops.)
Other than switching off the phone, what's to be done?
Well, all those cryptophone projects out there are still good - they just have to adjust their threat models. They've covered threats 2 through 9, now they need to think about threat #1. VoIP phones with any encryption are still fantastically good while there isn't massive and pervasive IP# tracking. (oops.)
To advance that theme - continue to support the cryptophones - Skype, Zfone, etc. They are your friends, both. But also cast an eye to the IP detrackers: Tor and the like. In my opinion, the whole P2P space (Jim says here) is far more relevent to the future of security, privacy, etc than any product that knows how to spell AES.
Give me RC4 layered over hazenet any day. Hell, give me Rot13 if you can make a good showing that it's deeply hidden in the noise. Fixing Rot13 is child's play compared to unfixing a static IP# or a Sim#.Posted by iang at April 11, 2006 12:49 PM | TrackBack