Forgot your password?
typodupeerror
Communications United States Your Rights Online

Wikileaks Publishes FBI VoIP Surveillance Docs 145

Posted by CmdrTaco
from the watching-the-watchers dept.
An anonymous reader writes "The folks on wikileaks have published a new interesting and shocking report: FBI Electronic Surveillance Needs for Carrier-Grade Voice over Packet (CGVoP) Service. The 88 paged document, which is part of the CALEA Implementation Plan was published in January 2003 and describes in detail all needs for surveillance of phone calls made via data services like the internet. Wikileaks has not published any analysis yet, so maybe some of the techies hanging around this end of the internet are interested in taking that one on."
This discussion has been archived. No new comments can be posted.

Wikileaks Publishes FBI VoIP Surveillance Docs

Comments Filter:
  • by CRCulver (715279) <crculver@christopherculver.com> on Saturday March 15, 2008 @06:52PM (#22761952) Homepage
    We desperately need a personal Internet telephony program that has full support for encryption. PGPfone was left unmaintained a decade ago, and Ekiga won't have encryption support until version 3.0. It's like there's a conspiracy to leave the public without such a basic tool.
    • by mikiN (75494) on Saturday March 15, 2008 @07:08PM (#22762050)
      Twinkle [twinklephone.com]?
      It handles encryption using ZRTP [wikipedia.org]/SRTP [wikipedia.org] and can do point-to-point (IP2IP) calls like good'ole Speak Freely.
      • Twinkle [twinklephone.com]?
        It handles encryption using ZRTP [wikipedia.org]/SRTP [wikipedia.org] and can do point-to-point (IP2IP) calls like good'ole Speak Freely.

        If I can't even convince my friends who use Pidgin already, to install PidginEncryption, how am I supposed to get them to use VOIP encryption?

        "Well, it won't happen to me..."
        Part of me wants to support further government wiretaps so that more abuses come to light and we can hopefully then convince people that privacy is important. But the other part hates it when innocent people are tortured for things they did not do.

        So what's the right course of action? I'm starting to wonder if I'm one of the few people

    • by CNeb96 (60366) on Saturday March 15, 2008 @07:35PM (#22762170)
      It was replaced by zphone http://www.zfoneproject.com/ [zfoneproject.com] alive and kicking and better.

      Q: What is Zfone?

      A: Zfone is my new secure VoIP phone software which lets you make secure encrypted phone calls over the Internet. The ZRTP protocol used by Zfone will soon be integrated into many standalone secure VoIP clients, but today we have a software product that lets you turn your existing VoIP client into a secure phone. The current Zfone software runs in the Internet protocol stack on any Windows XP, Mac OS X, or Linux PC, and intercepts and filters all the VoIP packets as they go in and out of the machine, and secures the call on the fly. You can use a variety of different software VoIP clients to make a VoIP call. The Zfone software detects when the call starts, and initiates a cryptographic key agreement between the two parties, and then proceeds to encrypt and decrypt the voice packets. It has its own little separate GUI, telling the user if the call is secure. It's as if Zfone were a "bump on the cord", sitting between the VoIP client and the Internet. Think of it as a bump in the protocol stack.
      • by flynn23 (593401)
        This would definitely benefit from being implemented in as many VoIP devices as possible (ie. Linksys SPA-xxxx boxes). Even better if someone can port this to a chip.
    • by mpapet (761907)
      I don't know how many *clients* support TLS, but openser (voip server) definitely does.

      It's just too late to reclaim/roll-back any privacy. The horses left the barn YEARS ago. 10+ years anyway. I'm not advocating the untenable position of "I've got nothing to hide, so it's okay." This is just standard operating procedure at this point.
    • by reuteler (819104)
      well, if you're an asterisk user and you have a provider who uses the IAX protocol (vitelity, callwithus, or point to point to another server) asterisk will encrypt all IAX channels -- you just have to add encryption=aes128 to the entry in iax.conf. pretty cool actually. it's not really at the level of the end consumer, yet.. but it's slick.
    • Re: (Score:1, Insightful)

      by Anonymous Coward
      Actually, I think it's time that all forms of electronic communication incorporated encryption. It should be the default configuration.

      As long as we have governments that routinely want to invade our privacy, our routine conversations should make it very costly for them to do so.

      Anyone who uses encryption now attracts attention whether it is warranted or not. The only way to allow those who wish to protect their privacy the ability to do it without opening them up to scrutiny is to raise the backgroun
    • How about "ssh -f -N -L...."? Tunneling IAX (or MGCP -- SIP is a bit problematic, since it chooses random ports) through SSH is pretty easy to do.
      • by profplump (309017)
        Both SIP and IAX are UDP-based, and won't tunnel via SSH's TCP tunnels. And UDP->TCP encapsulation is a bad idea for things like VoIP; you probably don't want to drop 2 seconds of the conversation just because 1 packet got mangled, and you sure don't want to waste bandwidth re-transmitting things that will never be played back.

        However, IPSec's 3DES-CBC and AES-CBC modes both re-initialize for each datagram, so it can handle encryption on UDP packets without requiring in-order, complete reception or retra
        • In theory, you are exactly right -- tunneling VoIP through SSH is not a great idea for all the reasons you mention above. In practice, however, it works, and according to a network world (IIRC) article I read, it sometimes works even better than straight UDP. I'll have to see if I can find the article and post a citation; no promises, though. For a more concrete example, the company I work for provides network services to a client that has a number of remote sites served through a terrestrial microwave n
  • Encrypted (Score:2, Insightful)

    by warrior_s (881715) *
    I think its now time that one should start encrypting all voip traffic.. I understand we don't even have https everywhere right now..
    use smartphones.. use encrypted voip to make all the phone calls, and use the regular service provider to make emergency calls like 911
    I think this is the way to go..

    I know some one will say there are attacks possible on encrypted connections... but the question is that its not feasible to attack every connection out there.. atleast make their job as difficult as possibl
    • Re: (Score:1, Insightful)

      by Anonymous Coward
      Agreed, but the issue is "all" or at least "most". As you probably know, if you send encrypted e-mail, it's like waving a big red flag at the NSA, "Oooh, I'm doing something I don't want you to see!" Unless you do it from an IP address you don't regularly use, you are asking to show up on all kinds of lists you most assuredly do not want to be on. The same would be true of encrypted VOIP. But if we had a mass movement of encryption, it becomes a form of civil disobedience. You may still get on a list, but
    • by KiloByte (825081)

      I understand we don't even have https everywhere right now..
      Mostly because to use https for anything but internal communication between tech-inclined people, you need to pay a tribute to VeriSign or another member of the SSL cert scam group.

      And recent changes to Firefox3 make the issue much worse.
  • by MyNameIsFred (543994) on Saturday March 15, 2008 @07:06PM (#22762030)
    I'm trying to figure out why the summary calls this document "shocking." Interesting yes, shocking no. It is well known that the law requires VOIP providers to maintain a capability for law enforcement agencies to wiretap. This requirement has been around for years, and is completely consistent with older "Plain Old Telephone Service." Its not like CALEA is hidden. You can find its website with a quick google. The author of the summary seems to be conflating CALEA with the dustup with the Bush administration and unlawful wiretaps. They are separate issues. Conflating them helps no one.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      I'm inclined to agree. I looked into CALEA a couple of years ago as part of an investigation to see what impacts it might have for universities. Much of the public criticism seemed to assume that it was a way for law enforcement to tap all communications. In fact, it is the exact equivalent of existing wiretaps: they don't get a full feed; they get data for specific authorized interceptions. I admit to some concern about apparent diversion of massive traffic flows. It may be a good idea, but I'd like to see

    • Re: (Score:2, Interesting)

      by Anon12 (1256996)
      True - but it is interesting, I very surprised they were only assessing the need to access VoIP calls in 2003. That seems pretty late.
    • by kesuki (321456)
      the problem is very big though. VOIP uses lossy codecs to make calls save space. they do this from the point of transaction. allowing the Feds to get 'full quality' audio for calls basically calls for a backdoor to be written into the client application itself, BEFORE it encodes the audio, and sending it full quality to the Feds for analysis. this causes 2 huge problems, especially in real time. 1. instantly end user notices they use up all their bandwidth sending 'full quality' (lossless compressed if y
    • no surprises. you want a capture/decode device at the trunk, you want to see the management system real-time, and you want the billing setup records real-time. that covers the waterfront. listen in off your PC from the sniffer. three windows open on the screen.

      that's the modern equivalent of a hybrid coil, a capacitor, and a 600-ohm headphone on clip leads.

      the important thing is to convince a judge who is knowledgeable in the law that there is a criminal act in progress with other evidence, so you can
  • Old (Score:5, Informative)

    by RockMFR (1022315) on Saturday March 15, 2008 @07:22PM (#22762106)
    This was leaked at least 4 years ago [interesting-people.org].
  • Public Standards (Score:5, Informative)

    by chill (34294) on Saturday March 15, 2008 @08:08PM (#22762304) Journal
    Yawn. This is the FBI's implementation plan, not some super-secret details of the specs. This is derived from J-STD-025A, J-STD-025B, and EWA 3.0 AMTA docs. Feel free to Google for those. The first and last you should be able to find. The "B" one they want money for, so it is harder to find freely online.

    Those detail exactly WHAT and HOW monitoring is going to occur, on a technical level.

    And don't get your knickers in a twist about the FBI document. I've already seen one instance where the FBI told a carrier "we want it done this way" and the carrier's lawyers said "no, that isn't legal and we won't do it". Of course, it was probably a result of the software not being implemented in that manner and it would have cost the carrier mucho $$ to do it the FBI's way...

    Nothing like a few $$ to prompt the legal dept. to see it your way.

    http://www.google.com/search?q=j-std-025&ie=utf-8&oe=utf-8&aq=t [google.com]
  • by aachrisg (899192) on Saturday March 15, 2008 @08:37PM (#22762434)
    The words "warrant" and "judge" do not appear in this document.
  • by Animats (122034) on Saturday March 15, 2008 @09:35PM (#22762626) Homepage

    There's not much new here. If you're familiar with CALEA, the law that hooked the Government into the phone system big-time, this is basically the same set of requirements the FBI wanted for voice calls. There was a big disagreement in the voice world over in-band signalling. The question was whether a "pen register" warrant authorized access to signalling data that goes over the voice channel, like Touch-Tone tones sent to some non-carrier device. The FBI was bitching about that for years.

    The trouble with all this stuff is that Congress didn't mandate proper auditing. Every surveillance event in CALEA ought to be logged by the Judicial Branch, at the Administrative Office of the U.S. Courts. [uscourts.gov] We don't have that.

    • I'd hardly call the "pen register" any kind of warrant. It's a court order that the judge has to issue if the government states that the information likely obtained is relevant to an ongoing criminal investigation. The government does not have to show any probable cause or even suspicion of criminal activity by the person under surveillance. The government uses the "pen register" order to wiretap all kinds of information beyond telephone numbers. While the Patriot Act expanded the pen register to any k
      • The pen register act (title III under the 1986 ECPA) is a privacy law. Prior to the act no judicial order was required because of the fact that individuals making phone calls are disclosing the numbers they dial to a third party (the phone company) and thus should have no expectation of privacy in regard to the numbers they dialed. There is no Constitutional guarantee of privacy for information disclosed to a third party. Law enforcement benefits from the pen register act because court orders granted under

        • I don't think that information transmitted to a third-party is automatically without an expectation of privacy. For example, there's an expectation of privacy in the digits we dial after being connected in a call (PCTDD)- like dialing your account number, routing a call through a calling card company, or routing to a different department/company through the bank's IVR. The government would need to get a warrant to do those searches.

          Also, the Supreme Court and other courts have generally protected anonymity
  • I don't get why a site with "news for nerds" says in a summary
    "techies hanging around this end of the internet".

    Also the grandparent professes shock when this is already well known.

    Can we walk out of preschool please? The subject matter is interesting and important but slashdot needs editors with a college degree.
  • by Anonymous Coward
    the ability of the FBI, to intercept and change the conversation on both ends. In real time. Very handy feature that is being used by DOD and FBI.
  • Are the VOIP providers being stuck for the bill on this? Implementation of this would be/is a pain, especially for those "VOIP as a service" companies that target corporate customers.

    Cisco, Nortel etc. must have a back door for these guys to make work easier for them, either that or somebody is getting rich off contracting voice engineers out to the Feds.
  • This has been bugging me for a bit, so I'm just going to get it off my chest, probably get modded flamebait or offtopic too

    Everyone on the site seems concerned with privacy, doesn't it make you all incredible hipocrites to say that businesses and government aren't entitled to that too? It's not that I'm for govt spying or companies ravaging consumers, but just saying it's a bit hippocritical to have a wikileaks story frontpage every day after preaching about privacy.
    • Re: (Score:3, Insightful)

      by LaskoVortex (1153471)

      "Privacy" as discussed here is about protecting privacy from the government, to whom we pay taxes and who might imprison us, prosecute us, or target us for our beliefs, words, or affiliations. Privacy from the general public is a different issue. Please argue that issue elsewhere as it confuses (and is probably intentionally meant to confuse) the real issue of privacy with regards to the government. If you still don't understand, I'll repeat it in bold face: "Privacy" as discussed here is about protecting p

    • Everyone on the site seems concerned with privacy, doesn't it make you all incredible hipocrites to say that businesses and government aren't entitled to that too?

      There is no contradiction here. Government, and government officials when operating in their official capacity, are not entitled to privacy; they are beholden to the people. With businesses, it depends. A sole proprietor is entitled to nearly as much privacy as any other person; he is beholden to himself and his customers. A huge corporation is entitled to much less; it is beholden to all of its shareholders, who may number in the thousands.

  • Uh...why is this "shocking?" The telephone systems use VOIP and cell phones didn't exist 30 years ago. There were a few portable phones but nothing like today.

    That's a serious question. I know, this is Slashdot, the home of foil hats and radial paranoia by broke students...

It is wrong always, everywhere and for everyone to believe anything upon insufficient evidence. - W. K. Clifford, British philosopher, circa 1876

Working...