Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How To DDoS a Federal Wiretap

timothy posted more than 4 years ago | from the first-step-get-wiretapped dept.

Privacy 112

alphadogg writes "Researchers at the University of Pennsylvania say they've discovered a way to circumvent the networking technology used by law enforcement to tap phone lines in the US. The flaws they've found 'represent a serious threat to the accuracy and completeness of wiretap records used for both criminal investigation and as evidence in trial,' the researchers say in their paper, set to be presented Thursday at a computer security conference in Chicago. Following up on earlier work on evading analog wiretap devices called loop extenders, the Penn researchers took a deep look at the newer technical standards used to enable wiretapping on telecommunication switches. They found that while these newer devices probably don't suffer from many of the bugs they'd found in the loop extender world, they do introduce new flaws. In fact, wiretaps could probably be rendered useless if the connection between the switches and law enforcement are overwhelmed with useless data, something known as a denial of service (DOS) attack."

cancel ×

112 comments

Sorry! There are no comments related to the filter you selected.

Pithy Comment (0, Offtopic)

Mikkeles (698461) | more than 4 years ago | (#30077246)

Great news! Thank you very much!

Re:Pithy Comment (0)

Anonymous Coward | more than 4 years ago | (#30077980)

You should have called "Frothty Pith"

Re:Pithy Comment (1)

xOneca (1271886) | more than 4 years ago | (#30085106)

He should have called "Firlst Post!".

Re:Pithy Comment (0)

Anonymous Coward | more than 4 years ago | (#30079338)

Great news! Thank you very much!

Why is this good news?

From the summary, "... the researchers say in their paper, set to be presented Thursday at a computer security conference in Chicago."

What do you think will be the effect of pre-announcing the presentation will be?

Hint: Ed Felten.

Re:Pithy Comment (1)

slummy (887268) | more than 4 years ago | (#30079414)

Exactly the same thing that happened to Steven Rambam at HOPE [washingtonpost.com] ...

I was there man, saw it all go down like watching numbers on the elevator.

That's a complex answer for a simple problem (0)

NotBornYesterday (1093817) | more than 4 years ago | (#30077254)

Of course, criminals have plenty of easier ways to dodge police surveillance. They can use cash to buy prepaid mobile phones anonymously, or reach out to their accomplices with encrypted Skype calls, said Robert Graham, CEO with Errata Security.

Duh.

Re:That's a complex answer for a simple problem (1)

jank1887 (815982) | more than 4 years ago | (#30079100)

actually, it's not even an answer.

"In fact, wiretaps could probably be rendered useless if"

keyword: PROBABLY

Re:That's a complex answer for a simple problem (1)

NotBornYesterday (1093817) | more than 4 years ago | (#30079550)

Exactly. Any since they weren't able to get their hands on the actual HW/SW the feds use, their expectation of "probably" becomes even less trustworthy.

Re:That's a complex answer for a simple problem (1)

Thinboy00 (1190815) | more than 4 years ago | (#30079816)

The obvious answer is this: if the feds try to use the patriot act or something similar to suppress the findings, they are ~definitely correct. If the feds ignore them, then they probably don't care, meaning what they actually use is probably different from what the researchers used.

Re:That's a complex answer for a simple problem (1)

Fulcrum of Evil (560260) | more than 4 years ago | (#30081224)

How is that legal? I can publish detailed designs for a nuke, or how to get away with murder, but god help us all if I give info on how to DOS a wiretap.

Re:That's a complex answer for a simple problem (1)

Architect_sasyr (938685) | more than 4 years ago | (#30083748)

How is that legal?

More like "how is that not bullshit". I know we all spend time playing spot-the-fed, but does one really believe that they are that dumb? Even if the document is accurate, once it's on the Net it's about as easy to remove as crazy glue on the ass of a rhino - attempting to take it down not only confirms it, it leads more people to try it. As it is it's just filed as onemorepossibility in the "what if" files.

At least this sounds plausible.

Re:That's a complex answer for a simple problem (1)

darkpixel2k (623900) | more than 4 years ago | (#30082306)

actually, it's not even an answer.

"In fact, wiretaps could probably be rendered useless if"

keyword: PROBABLY

If we keep strengthening the encryption between the two endpoints, eventually wiretapping will become useless. ...and the feds will figure out how to tap the endpoints.

...you jolt awake at 4 AM. You listen, look around, and hear nothing through bedroom window you left open at bedtime on that hot summer night. As a matter of fact, you don't even hear the man packing up his endpoint-wiretapping-dart sniper rifle on the adjoining rooftop. You simply rub your temples to try and rid yourself of the sudden, slight headache you've developed...and fall back to sleep.

In Soviet russia... (2, Insightful)

MaerD (954222) | more than 4 years ago | (#30077266)

Wiretaps DDOS you!

Ok, seriously? Overwhelm the signal to noise ratio and picking out the useful information becomes harder. It's just a question of how much and how long, not to mention how long after the fact is said information useful.
Better yet, why would anyone who seriously wants to avoid a wiretap *use a phone*? It seems like discussing anything over an unencrypted medium is asking for trouble.

Re:In Soviet russia... (0)

Anonymous Coward | more than 4 years ago | (#30077398)

In other news... by putting a banana in the exhaust pipe of the car or van thats been watching you, they cant follow you.

Re:In Soviet russia... (1)

PitaBred (632671) | more than 4 years ago | (#30078174)

I personally like potatoes. They're usually bigger than the exhaust, so they'll fill it up quite completely, and be a bitch to get out. A banana can be smooshed easily by hand to remove it... not so much with a potato.

Re:In Soviet russia... (2, Funny)

maxwell demon (590494) | more than 4 years ago | (#30077524)

Better yet, why would anyone who seriously wants to avoid a wiretap *use a phone*?

To connect his acoustic coupler :-)

Re:In Soviet russia... (1)

interkin3tic (1469267) | more than 4 years ago | (#30078194)

It seems like discussing anything over an unencrypted medium is asking for trouble.

Er... isn't /. an unencrypted medium? Isn't this thread discussing something that would fall under the category of "anything?"

(yes, I know what you meant, I just couldn't resist, I'm sorry.)

Buffering... (5, Informative)

chill (34294) | more than 4 years ago | (#30077332)

As someone who worked on a CALEA system for 18 months, implementing, testing and helping design, I can tell you one thing.

The specs of all the systems are such that they DO NOT BUFFER the actual voice, only the data. I mean the numbers punched, busy signals, etc. Buffered voice would rapidly overwhelm the system, so it is just dropped if the link from the CO (central office) to the LE (law enforcement) goes down.

Call data can be buffered for days, so that isn't dropped.

This isn't a flaw, it was a design decision. Good luck DDoSing a major telco switching office.

Redundant Technology (3, Interesting)

mikelieman (35628) | more than 4 years ago | (#30077584)

Given that the US Government had AT&T put optical splitters on the network backbones a while back, isn't this CAELA stuff obsolete? It still presumes that Warrants count and stuff and that they're not already copying all voice and data communications.

Re:Redundant Technology (3, Interesting)

vvaduva (859950) | more than 4 years ago | (#30077786)

Obsolete in the sense that it could be done better, or that new technology is already out and readily available to law enforcement? To me it looks like something that works well enough to catch bad guys. The paper deals with a lot of theoretical stuff that will be very hard to replicate in the real world; drug dealers, jihadists and even well-skilled technical people will have a really hard time overloading a major telco switch without access to expensive hardware and lots of resources which very few people have.

Re:Redundant Technology (0)

Anonymous Coward | more than 4 years ago | (#30078544)

Maybe it would be easier to figure out the system on the LE (receiving) end and DDOS that? It's admittedly a lot more ballsy to go ring the doorbell on the cops' door and run away, However under the right circumstances, say if you have some expendable machines in a botnet, it may be worth it. An example situation might be someone in a terrorist/criminal organization who only has one contact number for someone who they suspect may be being monitored and need to contact them: perhaps it's to advise them of an alternate channel or maybe to threaten them without leaving a LE recording of that threat.

Re:Redundant Technology (1)

LifesABeach (234436) | more than 4 years ago | (#30078580)

I don't need to waste my time making Law Enforcement MORE confused. Instead I lobby to change clauses in various laws till what I am doing is legal. Let the Sargent Stedenko's [imdb.com] work with that.

Re:Redundant Technology (4, Informative)

chill (34294) | more than 4 years ago | (#30078352)

Not really. That stuff is a firehose, and few jurisdictions are capable of handling anything like it. CALEA is for small town police depts as well as the FBI. Warrants are entered by the PD clerk, which are submitted to the CALEA system. The system is separate from accounting and everything else, so no one who isn't authorized has access to the info.

The system then flags a number and whenever a call is made to or from that number, it is duplicated inside the switch and a stream sent to the CALEA system. This includes busy signals, party line calls, SMS, etc.

The CALEA system establishes a secure tunnel (IPSec) inside the telco network to an IPSec gateway. We were working with Juniper boxes at the time. From there, the tunnels are broken out to the various law enforcement offices that have open warrants. One goes to the FBI, one to NYPD, etc. The entire internal network was GbE for the nodes and 10 GbE for trunks. Again, good luck DDoSing that.

Tunnels to the various LEOs varied in size depending on the size of the department and how many active warrants they had. A minimum of 1.54 Mbps, IIRC. Pipes to the FBI in Quantico, LAPD, NYPD and a couple others were larger by default.

Re:Redundant Technology (0)

Anonymous Coward | more than 4 years ago | (#30080608)

... so no one who isn't authorized has access to the info.

I hereby nominate the above for laugh of the century thus far. This kid's got potential.

Re:Redundant Technology (0)

Anonymous Coward | more than 4 years ago | (#30082486)

This sounds like the weak link in the chain is the PD clerk's data connection to the CALEA system.

Granted, I dont know any detailed information, but this is where I personally would attempt to set up a packet flood internally, by listing EVERY number in the "can be flagged" pool as being "watched."

This would cause the CALEA system itself to saturate its own bandwidth with replicated traffic. (replicating the use records of hundreds of thousands of people, instead of just a few hundred or so, would tend to do that pretty quick.)

The Real World dictates that the connection the clerk uses will have some kind of strong encryption active, and will follow up on warrant requests; but encryption, like any other lock, just keeps honest people honest, and somebody with a dedicated interest and sufficient time would be able to perform a man in the middle with such dedicated endpoints, and be able to trick the followup daemon with false verifications.

This isn't the kind of thing that would happen overnight, but given several months to a few years of aggressive monitoring and brute force decryption, it would fall on it's face.

Re:Redundant Technology (1, Informative)

Anonymous Coward | more than 4 years ago | (#30084098)

The entire internal network was GbE for the nodes and 10 GbE for trunks. Again, good luck DDoSing that.

Exactly.

The theory is that there is only a single 64k data channel from the Telco to the law enforcement agency. 64kbps is the amount of data assumed for a single voice call, so to say that they installed these things with the ability to only tap ONE phone call at a time is a little naive IMHO. More than likely they have been running full PRI trunks or loading it onto a nice fat fiber pipe for some time.
In any case, it's actually a fairly moot point, because as long as you're saturating the 64k connection for your phone number, it's not like you can actually USE it for anything, and as soon as you start talking and not redialing it's recording you anyhow. And there is a limit on how fast the call agent will even allow you to setup and tear down calls. Besides, I've worked in a Telco data center, and the local law enforcement's server was directly connected to the call switch with a cable, and sat right next to it in our datacenter, and the agency would just log into it and pull down whatever logs they needed at the time.

Besides, if you already know you're being tapped, the best way to avoid it is just not talk on the phone.

Re:Buffering... (3, Interesting)

starfishsystems (834319) | more than 4 years ago | (#30078042)

I developed a similar system. This particular product is not restricted to voice, but supports any network device which can mirror its packet traffic.

Under its present interpretation, CALEA applies to any sort of subscriber data. If law enforcement can clearly identify the subscriber and the intercept period, the network provider is obliged to supply all data carried for that subscriber during that period. That could be your voice traffic or web browsing or email or whatever. The plant has to be engineered accordingly, but that's essentially a capacity issue.

On the other hand, it's important to note that there is no obligation upon the provider to interpret the supplied data. Such an obligation would be unreasonable and unenforceable. Instead, law enforcement is basically getting a raw PCAP file.

I'll tell you what I found to be the most interesting aspect of this project. There is very strict language in CALEA against intercepting data except for the specified subscriber during the specified period. Of course we were careful to implement controls over that. But until I insisted on the point, nobody even considered that we might want to have controls to verify that the intercept request came from a bona fide court and that the intercept data would be sent to a bona fide law enforcement agency.

Re:Buffering... (3, Informative)

chill (34294) | more than 4 years ago | (#30078686)

Well, the company's lawyers got the FBI to sign off on the voice buffering bit, and yes it was mostly a capacity issue. Whether that'll change in the future is up to whether or not the gov't decides to pay for it. I think that was the main argument. "You want HOW MUCH DATA buffered? Excuse us while we break out the BIG calculator to prepare you a quote."

No, we weren't interpreting data. Raw XML was passed over for control and signal data, and voice was sent as a raw codec stream. The codec was from Qualcom, and we did have to assist in making sure the FBI could receive and decode it properly. Only the FBI needed the help because they wrote their own code. All the other LEOs used off the shelf software from Qualcom.

For a while, I had a laptop that could inject requests into the stream -- bypassing the warrant step -- create an arbitrary IPsec tunnel and feed a raw stream of XML+voice to any IP of my choosing. I used to work at the hotel at night debugging call data. We had a microcell network set up in one of the suites.

Educational stuff.

Re:Buffering... (1)

Kodack (795456) | more than 4 years ago | (#30078696)

Yes the data is buffered in several places but the voice is sent out to PSTN via a 3way calling feature of the DMS. Interrupting the voice portion of the call is possible just like war dialing to overload a phone number is possible. But that assumes they know the LEA's number to call, that they have enough skype bots to do it, and that the intercept target is only going to 1 phone number.

A typical intercept involves several agencies and sometimes voice is sent to an agents cellphone as well. You can't be sure how many places the voice portion of the intercept is going but the SS7 telephony side of the house is much more hardened and difficult to gain access to than the IP side of it. Good luck getting your own STP to hide your criminal activity.

Re:Buffering... (0)

Anonymous Coward | more than 4 years ago | (#30078770)

you do realize that the dms is just a family of switches from nortel, right?

and that a lot of intercepts may be worked in task forces but are only being delivered to one place.

Re:Buffering... (1)

Kodack (795456) | more than 4 years ago | (#30078956)

DMS is just an acronym for a message switch. Ericsson, Lucent, Alcatel, Nokia, Nortel, doesn't matter who makes it, the standards are the same.

Re:Buffering... (1)

Kodack (795456) | more than 4 years ago | (#30079002)

PS, and I can tell you from experience it's not uncommon for the voice portion of a call to go to multiple recipients and for an intercept to send data to more than one agency. And at each step of the way it is stored if unable to be sent, and in the last leg before it gets to the agency it's actually archived.

You would need somebody inside of the telco's network with very specific knowledge in order to interrupt an intercept. I think the paper exposes a flaw more with that device than with CALEA.

Re:Buffering... (1)

chill (34294) | more than 4 years ago | (#30079636)

Not in this case. I was working on a cell network and it was 100% VoIP inside, outside and upside down. All the handsets had IPs as well as phone numbers. The link to the LEA was an IPsec tunnel from a Juniper VPN Concentrator to an IPSec-enabled endpoint at the LEA's office. PSTN has nothing to do with it. No, you CAN'T wardial it because it isn't a phone switch.

Re:Buffering... (1)

phantomcircuit (938963) | more than 4 years ago | (#30079006)

Good luck DDoSing a major telco switching office.

That would take what? 10 Gbps?

Believe me that is relatively easily doable. If you're highly motivated it would be much easier.

New best ... (5, Funny)

dijjnn (227302) | more than 4 years ago | (#30077352)

New best way to get your funding cut: publish a paper that outlines a way to use DDOS to hinder a federal investigation. Old best: come out of the closet & join the communist party.

Re:New best ... (1)

Hurricane78 (562437) | more than 4 years ago | (#30078074)

Nah, I think joining this group [radiantempire.com] still beats that.

(In case you're unsure: The tolerance and understanding part is the objectionable part. ;)

Already happens (4, Funny)

Slightly Askew (638918) | more than 4 years ago | (#30077408)

"...if the connection between the switches and law enforcement are overwhelmed with useless data, something known as a denial of service (DOS) attack...

This just in, arrest warrants issued for 92% of American females between the ages of 12 and 17.

Re:Already happens (3, Funny)

The Evil Couch (621105) | more than 4 years ago | (#30079092)

Oh good. They've finally made reading Twilight a crime.

Re:Already happens (1)

citab (1677284) | more than 4 years ago | (#30079240)

"...if the connection between the switches and law enforcement are overwhelmed with useless data, something known as a denial of service (DOS) attack...

This just in, arrest warrants issued for 92% of American females between the ages of 12 and 17.

hmf! Try 12 and 97!!

Re:Already happens (1)

MateuszM (1110895) | more than 4 years ago | (#30084316)

This just in, arrest warrants issued for 92% of American females between the ages of 12 and 17.

Well, such a warrant would be a great DDoS on law enforcement as a whole, wouldn't it? So one could argue that the teenagers won the battle...

DOS attack? (-1, Offtopic)

maxwell demon (590494) | more than 4 years ago | (#30077468)

MS DOS or DR DOS?

You insensitive clod! (1)

Lead Butthead (321013) | more than 4 years ago | (#30078872)

MS DOS or DR DOS?

You insensitive clod! I attack with FreeDOS.

Re:You insensitive clod! (1)

The_Wilschon (782534) | more than 4 years ago | (#30080992)

I cast magic missile! ... at the DOSness.

Oh really? (0)

ewhenn (647989) | more than 4 years ago | (#30077470)

....In fact, wiretaps could probably be rendered useless if the connection between the switches and law enforcement are overwhelmed with useless data....

Is it me or does this kinda read as: "If there is nothing useful going through the line, there is nothing to tap". Well no shit. If the caller can't complete the call or communicate with the person on the other end because of system overload, guess what, you won't be able to gather anything because the conversation never happened.

Re:Oh really? (0)

Anonymous Coward | more than 4 years ago | (#30077606)

But that's not the problem. Often LEAs just get a T3 to run a phone tap. TFA shows how you can generate small UDP packets that create much larger packets on the LEA's pipe.

And here again is a door open to geeks unemployed (4, Funny)

dada21 (163177) | more than 4 years ago | (#30077502)

...sort of off-topic, but something I mention to my geek friends out of work: the black market of crime has endless jobs available for you.

Go into any barbershop in a shadier part of town and while you're getting a fantastic $12 haircut, mention to the oldest barber that you are working on security consulting to help people avoid getting into trouble with the law, especially in regards to keeping phone calls and information private.

At $150 a pop to "consult" with a man in a nice suit, you can easily remind him that his phone and laptop aren't secure, even offer him advice on what he can do and what he can buy to keep his tracks concealed better.

In reality, though, wiretaps aren't as important as having a good crew under you. A large percentage of black market consultants find themselves in jail because of the stool pigeon, not because of the wiretap information.

Re:And here again is a door open to geeks unemploy (1)

interkin3tic (1469267) | more than 4 years ago | (#30078272)

Go into any barbershop in a shadier part of town and while you're getting a fantastic $12 haircut, mention to the oldest barber that you are working on security consulting to help people avoid getting into trouble with the law, especially in regards to keeping phone calls and information private.

I don't know, there aren't a whole lot of trees here, I'm going to have a hard time identifying the "shadier" part of town.

At $150 a pop to "consult" with a man in a nice suit, you can easily remind him that his phone and laptop aren't secure, even offer him advice on what he can do and what he can buy to keep his tracks concealed better.

A cheaper suit for starters.

Re:And here again is a door open to geeks unemploy (1)

nacturation (646836) | more than 4 years ago | (#30084714)

I don't know, there aren't a whole lot of trees here, I'm going to have a hard time identifying the "shadier" part of town.

If your town has a large selection of restaurants instead of trees, perhaps you can find the more unsavory parts of town?

Re:And here again is a door open to geeks unemploy (1)

dougmc (70836) | more than 4 years ago | (#30078292)

At $150 a pop to "consult" with a man in a nice suit, you can easily remind him that his phone and laptop aren't secure, even offer him advice on what he can do and what he can buy to keep his tracks concealed better.

I like the idea, but what happens when he gets nabbed anyways, because he fell for something that seemed so trivial you didn't even mention it. (Or any other a number of scenarios that may or may not be your fault.)

Then he (or Guido) comes looking for you, once he's out of jail? Or the police come looking for you, his accomplice ...

I imagine it's lucrative, but sounds risky.

Re:And here again is a door open to geeks unemploy (1)

Tenebrious1 (530949) | more than 4 years ago | (#30078366)

"At $150 a pop to "consult" with a man in a nice suit, you can easily remind him that his phone and laptop aren't secure, even offer him advice on what he can do and what he can buy to keep his tracks concealed better."

You better be giving him some damn good advice, or you might end up with some broken kneecaps if you're lucky, getting fished out of the river with cement shoes if not.

Some background about Matt Blaze (4, Informative)

jonaskoelker (922170) | more than 4 years ago | (#30077608)

Here's a bit of background the /. editors didn't give you.

If you take a 2-second look at the paper (the pdf link in the summary), you see Matt Blaze's name.

He's been doing other work on making law enforcement wiretapping not work. For instance, go to http://www.usenix.org/events/sec06/tech/ [usenix.org] and search the page for "Blaze"; you should find his talk (http://www.usenix.org/events/sec06/tech/mp3/blaze.mp3) and the Q&A session.

He also gave essentially the same talk as the first (under a different title) at http://www.usenix.org/event/lisa05/tech/ [usenix.org] (again, search the page for "Blaze" or go straight to http://www.usenix.org/event/lisa05/tech/mp3/blaze.mp3 [usenix.org] ).

He also spoke at hotsec06, http://www.usenix.org/events/hotsec06/tech/ [usenix.org] , with no recorded mp3, and at an e-voting panel, http://www.usenix.org/events/sec07/tech/ [usenix.org] .

As you might infer, this isn't the first time Mr. (Dr.?) Blaze has been studying wiretapping (or other security issues). He's also quite a good, entertaining speaker. I recommend giving him a listen.

The short story (from the usenix talks): press the "C" key on your old 4x4-keypad phone. That's the in-band signal (doh!) used by law enforcement to mean "don't record now". Or, look up the tone frequency, then play it back at a much lower volume with a tone generator (your laptop might do) so it's more comfortable to talk over.

Re:Some background about Matt Blaze (0)

Anonymous Coward | more than 4 years ago | (#30077974)

Dr. Blaze, check out crypto.com

Re:Some background about Matt Blaze (2, Insightful)

coolsnowmen (695297) | more than 4 years ago | (#30077976)

What would that signal even exist? So that law enforcement could break the law by phone and not get caught?

As per Matt's talk (1)

jonaskoelker (922170) | more than 4 years ago | (#30084158)

[Why] would that signal even exist?

Phone wiretap warrants are on people, not telephones. If you borrow my phone and the police is wiretapping me, they're not allowed to record any of your conversation (except they can listen in something like two seconds every minute to check it's still someone other than me talking).

That might serve as one motivation. The real answer is that they didn't understand the "Don't trust the client" principle. Especially don't trust your clients if you suspect them to be criminals... oh well.

Re:Some background about Matt Blaze (1)

dougmc (70836) | more than 4 years ago | (#30078338)

My old 4x4 keypad phone doesn't have a C key. Or do you mean the 2 key? Or * or #?

And a minor nit -- each key doesn't emit one tone. It emits two tones -- one based on the horizontal location of the button and the other based on the vertical location of the button. If I recall correctly. (I imagine you know that already, however.)

I guess I could go find his paper ...

Re:Some background about Matt Blaze (4, Informative)

AJWM (19027) | more than 4 years ago | (#30078598)

My old 4x4 keypad phone doesn't have a C key.

Probably because it's only a 3x4 keypad phone. You want a keypad like this [futurlec.com] , the C is on the same row as the 7, 8 and 9.

You may also want to review your counting skills. ;-)

Re:Some background about Matt Blaze (1)

taniwha (70410) | more than 4 years ago | (#30078714)

the standard has 4 possible tones for each of the 2 dual-tones - one of those 8 tones is not used on a 4x3 keypad but is used for signaling (you phone sends it when it receives caller ID for example) those missing tones from the real 4x4 matrix are named A B C and D

Re:Some background about Matt Blaze (1)

dougmc (70836) | more than 4 years ago | (#30079604)

Duh. My phone is 4x3, not 4x4 ...

Re:Some background about Matt Blaze (0)

Anonymous Coward | more than 4 years ago | (#30078958)

If your phone has a 4x4 (not 3x4; count carefully. sixteen != twelve), then it has four buttons, from top right to bottom right, A, B, C, and D. On some military 4x4's these are labeled FO, F, I, P to correspond to the call priorities "Flash Override," "Flash," "Immediate," and "Priority."

If your phone does not have a 4x4, then the problem is that you miscounted; this error accounts for your confusion.

Re:Some background about Matt Blaze (1)

X86Daddy (446356) | more than 4 years ago | (#30079522)

Count your columns again. :-)

The term 4x4 used here indicates the number of rows and columns on phone technician devices or specialty home-made phreaking tools...

Re:Some background about Matt Blaze (0)

Anonymous Coward | more than 4 years ago | (#30084136)

My old 4x4 keypad phone doesn't have a C key. Or do you mean the 2 key? Or * or #?

And a minor nit -- each key doesn't emit one tone. It emits two tones -- one based on the horizontal location of the button and the other based on the vertical location of the button. If I recall correctly. (I imagine you know that already, however.)

I guess I could go find his paper ...

It might sound silly at first, but no, it's just one tone. One waveform plus One waveform equals... ONE resulting waveform, not two. So while it's true that it adds two waveforms together based on row/column position, it's still just one waveform being output.
And if you look at your keypad, it's 3x4 not 4x4 unless you have some screwball keypad, but in such a case the extra buttons aren't actually signaling on the phone line. The "C" key is on the 4th column which only exists on lineman's handsets (unless you hack one out yourself of course).

Yes, DTMF indeed (1)

jonaskoelker (922170) | more than 4 years ago | (#30084142)

each key doesn't emit one tone. It emits two tones -- one based on [each of row and column]

That is indeed correct; it's also known as DTMF---dual tone multiple frequency. I think I meant to say something about that. Now I wonder why I didn't.

Thanks for pointing this out, though! :)

Re:Some background about Matt Blaze (1, Funny)

Anonymous Coward | more than 4 years ago | (#30080824)

It's a trap! That button actually STARTS the wiretap already placed on your phone. It's intended specifically to catch people who are trying to avoid law enforcement noticing their activities.

Re:Some background about Matt Blaze (1)

bughunter (10093) | more than 4 years ago | (#30081568)

All this talk of 3x3's and 4x4's is making me hungry [flickr.com] !

Re:Some background about Matt Blaze (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#30084826)

What, no whistle included in a box of cereal?

Stupid (2, Insightful)

Chicken_Kickers (1062164) | more than 4 years ago | (#30077790)

If spies/criminals/terrorists/politicians are stupid enough to use plain language over the phone to plan their dastardly deeds, then they deserve to be put into prison.

Re:Stupid (0, Offtopic)

Foobar of Borg (690622) | more than 4 years ago | (#30077892)

If spies/criminals/terrorists/politicians are stupid enough to use plain language over the phone to plan their dastardly deeds, then they deserve to be put into prison.

Indeed. And remember, Mary had a little lamb, the cow jumped over the moon, but most of all, I did it my way.

Re:Stupid (1)

otterpopjunkie (1558913) | more than 4 years ago | (#30077988)

And if they are clever enough to do otherwise, they don't deserve to be put in prison!

Re:Stupid (0)

Anonymous Coward | more than 4 years ago | (#30078106)

This is essentially a pre-shared key using voice communication.

Re:Stupid (3, Insightful)

Hurricane78 (562437) | more than 4 years ago | (#30078116)

Only a total retard would still think, that the point if this wiretapping is to catch criminals.

Re:Stupid (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#30084832)

Does it still work if I wrap my phone in tin foil, as well as my head?

Re:Stupid (1)

mi (197448) | more than 4 years ago | (#30078260)

if spies/criminals/terrorists/politicians are stupid enough to use plain language over the phone to plan their dastardly deeds, then they deserve to be put into prison.

I'd like to point out, that of the four groups you listed, the criminals and the terrorists deserve to be put into prison (or worse) regardless of whether they use plain language. Same applies to spies, unless they work for our side.

Politicians planning dastardly deeds get little sympathy too...

to over exagerate a bit. (2, Insightful)

Dare nMc (468959) | more than 4 years ago | (#30082658)

criminals and the terrorists deserve to be put into prison

careful thats not always a clear cut line, for instance bush considered only Christians to be citizens therefore anyone trying to overthrow Christianity, was trying to overthrow his country? Teaching science might not be too far from being considered a terrorist by many zealots (of which bush often listened to). With government listing to corporate interests and considering anything harmful to corporate profits, like breaking DRM, as theft. If this criminal/terrorist net doesn't include you yet, it could encompass many of your friends/family, isn't conspiring with known criminals and terrorists a crime? (best get off of Slashdot now, to be safe...)

Re:Stupid (1)

pwfffff (1517213) | more than 4 years ago | (#30080194)

I've seen supposed wiretap transcripts on news sites and such that I guess were released during the trial. Most of the time the criminals ARE using code words, it's just, you know, not real hard to figure out that your terror suspects aren't really opening a hair salon, and therefore probably aren't ordering 300 'bottles' of 'conditioner' that are 'guaranteed to go off'.

A couple things... (4, Informative)

mea37 (1201159) | more than 4 years ago | (#30077858)

...for those who didn't RTFA:

First, this apparently applies to VoIP systems and cell phones, not analog land lines.

Second, it is not a DDoS attack, as the headline claims. It is a DoS attack, though. That extra D means "distributed" and refers to situations where you bring many computers (say, a botnet for example) to the party so that your cumulative traffic-generation ability exceeds your target's capacity. Those techniques are not in play here. I guess Internet-based distributed attacks have become so common that people don't bother knowing what the acronyms really mean anymore.

The channel you're trying to flood is a 64kbps data link between the phone company's switch and the law enforcement equipment. That is to say, the spec calls for 64kbps - so you don't really know if they have more than that in implementation. The idea is that if you program your system to rapidly make useless connections (such as text messages to random numbers) then you can flood this link and the equipment will lose track of the metadata describing an important message you send along during the flood. "Rapid" is on the order of 40 text messages per second; maybe you can program your equipment to do that.

They have not been able to test this attack in practice, and they're making assumptions - some of which I doubt - about what the result would be. Seems like a lot of trouble to go to for the chance that maybe there'll be a random probability that the call you care about doesn't get logged - and even then you won't know after the fact whether it worked. Anyone who takes communications security seriously enough to apply that much effort, will apply it to doing something more certain to work.

Re:A couple things... (2, Informative)

Tmack (593755) | more than 4 years ago | (#30078454)

...for those who didn't RTFA:

First, this apparently applies to VoIP systems and cell phones, not analog land lines....

VoIP and Cell systems are packetized data, just like normal analog phones are once they get to an RT or CO (read up on SS7). Most cell towers have VoIP connections back to a CO somewhere, and VoIP terminating on the POTS network first has to be converted to normal SS7 packetized traffic. This means the wire tap is tapping actual data packets from the SS7 channel (hence the mention of "only" 64kbps, which is actually a full ds0, same as a normal analog line). The attack mentioned (going from the way the summary presented it) requires taking up all available channels on the same switch that the tap is being placed on, so there are not enough available ds0 channels left for the tap to send its data, or alternatively, creating multiple voice channels that are targets for the tap so that it cant send all the voice even with a high compression codec (assuming its limited to the single ds0) . This is only capable if you get a bunch of people to dial into the same switch at the same time, basically a DDoS, or place multiple calls from the tapped phone or send sms/other stuff that takes up data channels. This has the same effect as what happens when a radio station announces that "10th caller gets tickets" to some concert, and you try to call but get "all circuits busy". But still, good luck flooding all the channels in a CO....

Tm

Re:A couple things... (1)

mea37 (1201159) | more than 4 years ago | (#30079362)

All well and good, except that the attack you are describing is not what the article describes the researchers doing.

I guess that's what happens when you respond to someone who read TFA with an assessment based on "the way the summary presented it".

3G 64kbps channel? (1)

Kodack (795456) | more than 4 years ago | (#30079136)

That's an analog landline convention. They are talking about 3G which isn't getting to the world the same way a voice call would so there are no channels like there would be for say an analog call at 64kbps trunking and SS7 sent via a signaling link.

I think if you sent so much information you saturated your available bandwidth that any messages not picked up by CALEA also would fail to be delivered. I don't know what 'device' they picked up to do this testing since CALEA is a standard not a box. But I'm guessing that they found a flaw with it, not with the CALEA standard.

Re:3G 64kbps channel? (1)

mea37 (1201159) | more than 4 years ago | (#30079518)

Everyone seems to be jumping on the 64kbps number and assuming it refers to some piece of the system they're familiar with. Yet what TFA describes doesn't sound like the same thing to me. I'd be unsurprised to find that the 64kbps number looks familiar because they picked it to conform to what other pieces of the system are doing.

In any case, they did not find flaws in some specific box they tested against. If you RTFA, you'll fnid that they specifically are addressing flaws they've inferred from the spec, because they specifically could not get equipment to test against.

And that's half my point. There is no real information in this research; IMO it looks like just a research group with a history of trying to poke wiretap tech in the eye making speculative claims about weaknesses they can't verify in any real-world context.

Why Bother Wire-tapping (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30077874)

. . . if once you have the evidence you don't do anything with it, ala Nidal Hasan?

I know the foundations of our legal system lie stem from the formerly great British Empire, but there's no reason why we have to follow them into becoming a pussified police state that spends more time acting like a nanny than a great power.

Encryption (1, Interesting)

iamacat (583406) | more than 4 years ago | (#30077940)

Eventually, nobody will care about this because all communications will be encrypted end-to-end and wiretaps will be useless. Attempts to outlaw that would result in only criminals having encryption and honest people falling victim to wiretaps by criminals and foreign governments. Besides there are many ways to make encryption not look like encryption.

This is quite all right for law enforcement, as many new ways to breach people's privacy are emerging at the same time - RFIDs, GPS phones, new hackable devices, street cameras, voice-tracking lasers shinned on one's window and so on. On the whole, it will be easier than ever to do lawful or unlawful. curvallaince. They just need to stop cribbing about having to abandon some old technologies and adopting new ones.

Re:Encryption (1)

mi (197448) | more than 4 years ago | (#30078438)

Eventually, nobody will care about this because all communications will be encrypted end-to-end and wiretaps will be useless.

Unless Obama (or some future President) is more successful with the future incarnation of Clipper [wikipedia.org] , than Bill Clinton was.

Attempts to outlaw that would result in only criminals having encryption ...

Encryption really is so much like weaponry, that your statement — and its accuracy — are the same as "If guns are outlawed, only outlaws will have guns." Does not stop the politicians from trying, though...

it will be easier than ever to do lawful or unlawful surveillance

It is already easy... What protects us, is that the evidence thus obtained is often inadmissible in court.

Re:Encryption (1)

iamacat (583406) | more than 4 years ago | (#30078718)

Encryption really is so much like weaponry, that your statement -- and its accuracy -- are the same as "If guns are outlawed, only outlaws will have guns." Does not stop the politicians from trying, though...

If even 10% of encryption software owners use the product to kill defenseless civilians, or if accidents with a 5 year old boy finding a PGP CD-ROM in dad's drawer and accidentally killing his 3 year old system are widespread, I would certainly support strict licensing requirements and usage restrictions on encryption.

Encryption = e-commerce (1)

AliasMarlowe (1042386) | more than 4 years ago | (#30079194)

If even 10% of encryption software owners use the product to kill defenseless civilians, or if accidents with a 5 year old boy finding a PGP CD-ROM in dad's drawer and accidentally killing his 3 year old system are widespread, I would certainly support strict licensing requirements and usage restrictions on encryption.

It's unlikely to reach even 0.01%, since almost every browser and email program supports encryption. Every time you conduct a transaction over https, you're using encryption. Same for email login using TLS, and possibly also for accessing your home wireless network. http://en.wikipedia.org/wiki/Https [wikipedia.org]

Your proposal for restricting encryption is presumably made from ignorance. It would greatly hinder online banking, online shopping, or anything else requiring secure login or identification. Even a slashdot login...

Re:Encryption = e-commerce (1)

iamacat (583406) | more than 4 years ago | (#30079494)

So can you support the same 0.01% number regarding guns? I seldom use a gun while banking or shopping, but I guess your millage may vary.

Re:Encryption (1)

Idbar (1034346) | more than 4 years ago | (#30078886)

Also that implies that all the voice communications pass through some sort of entity. Couldn't just happen that you use your own asterisk server at home, and use some private extensions for calls you don't want to be listened?

Enough proxies and encryption makes me think that system may be useless or just oriented to plain people and not the ones the government should really be worried about.

I work on CALEA and DDOS is not possible (5, Informative)

Kodack (795456) | more than 4 years ago | (#30078384)

The fact that these researchers worked off of the standard for delivery compliance aka CALEA, has given them the false impression that all they need to do prevent a wiretap is to overload the connection between the agency and the DMS (the switch your call goes through).

What the J standard does not go into is the fact that at every step of the way there are checks to determine if data can be sent. If it cannot then it is stored until it is able to be sent. It is not uncommon for connections in the IP realm to come up and down so the system can buffer them both at the DMS, as well as at several points inbetween through the various offboard devices in the chain. Typically the data makes 2 stops between the DMS and the LEA.

This is strictly for the data portion of the call, IE dialed digits, in the wirless world it would include MMS/SMS, GPRS, etc.

The voice portion of the call is trunked from the DMS to the PSTN via a 3 way calling feature with 1 way audio. It basically dials the LEA's recording equipment every time the target makes a call, their equipment will record automatically when it answers the phone, like an answering machine. However the voice portion doesn't always have to go to a LEA. It can be configured to go to several phone numbers such as an agents mobile phone, a recording device, or other 3rd party.

Now you could overload the agencies recording equipment if you knew what number to dial using a war dialer type of attack, but that would lead authorities to your door and it would not prevent other agencies and other monitoring centers from receiving that same data. Most bench warrants will have several involved agencies each receiving intercepts from a single target.

Suffice to say that if you have a tap on your phone, it's going to get to the LEA and there isn't much you can do about it.

RTFM for more DoS suggestions (1)

TSHTF (953742) | more than 4 years ago | (#30078484)

Great paper. Cisco is also nice enough to write up about their "Lawful" Intercept products. For example, in Configuring Lawful Intercept Support [cisco.com] , they kindly warn the end-user that "To maintain VXSM performance, lawful intercept is limited to no more than 60 active calls." Thanks for the suggestion!

uh, the premise of the article is wrong (0)

Anonymous Coward | more than 4 years ago | (#30078518)

64K bits was a limit with x25. most stuff is done over ip now, and doesn't have that limitation. The entire premise for this article is incorrect. It talks about VoIP having the same 64K limitation when that isn't based on anything in reality at all.

This is not a DDoS, use buzzwords correctly. (1)

DdJ (10790) | more than 4 years ago | (#30078582)

What is it lately with people using precise terms with only vague ideas about what they actually mean? Is this a side-effect of H1N1 or something?

I mean, here we have someone talking about something an individual does all by themselves with one device, calling it a "distributed denial of service attack", when there's nothing "distributed" about it and it's just a denial of service attack.

In other contexts, we have people talking about Blizzard's new selling of in-game WoW pets for $10 a pop, calling that a microtransaction, when there's nothing "micro" about this, thes are just transactions. (A microtransaction is worth talking about as such only because strange things happen when the value of a transaction gets too close to the overhead of collecting that value, which does not happen up around the $10 range. I can talk about this at length, but it doesn't matter, people are still idiots and will say "microtransaction" to sound like they're more clever than they are.)

WTF? Gah! Makes me wish I could just reach through the internet to grab people and shake them.

CALEA is bomb proof (1)

Kodack (795456) | more than 4 years ago | (#30078918)

Chillax broham.

I believe they are talking about VOIP using the 3g side of their sprint phones. IE making a skype call over their wireless data. Assuming for a moment that Skype and other service providers don't have a CALEA setup (they are legally required to as they offer telecomm services and must comply with bench warrants), the fact is that any warrant on the targeted mobile would also capture all data. If one device were overloaded it would buffer until it was able to be sent.

CALEA is bomb proof in the way that your billing is bombproof. Companies don't like to loose $$$ by loosing billing records. Well a billing record is just a glorified CDR (call data record) which is all that CALEA is sending data wise, it's sending in bandwidth data, and out of band signalling as call data records.

Think about all the failsafes ma bell has to keep her billing streams intact and then double them for the government that wants to ensure law and order are kept.

And CALEA is just a standard that all devices must comply to for delivering voice and data. So they can inter operate with others products. You must remember that there are dozens of ways to intercept a phone call legally, from your mobile to the base station, from the base station to the DMS, etc etc. If they want to wiretap you, it's going to happen, CALEA or not, it just makes it easier.

The only way to avoid intercepts is to make a bug proof room, have a stranger buy prepaid phones with cash, and throw them away after every call. Criminals are stupid, thankfully.

Re:This is not a DDoS, use buzzwords correctly. (0)

Anonymous Coward | more than 4 years ago | (#30082502)

Makes me wish I could just reach through the internet to grab people and shake them.

Have at!

I access the internet with my dick.

the premise the article and paper on is wrong (0)

Anonymous Coward | more than 4 years ago | (#30078948)

it's only assuming a maximum channle of 64 bits. While this may have been true when the j-std was first written, it's not true now. It's definitely not the case when you're delivering voip calls using t1.678 or packetcable. There is no "channel" only packets.

I'm not sure (1)

Virtucon (127420) | more than 4 years ago | (#30079460)

I'm not sure that our average dumba$$ criminal out there would be thinking of this or as they article says, opt for encrypted Skype.

For every mechanism the government tries to put into place to interdict in calls, there's always a way around it. In this case
I'm not completely sure what the attack is, other than attack the control channel for signaling the surveillance system. Why not
just capture all of the traffic and filter later, ala Echelon?

Y)OU FAIl IT (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#30079502)

(7000+1400+700)*4 Most people into a itself backwards,

Major problems (1)

rabtech (223758) | more than 4 years ago | (#30080060)

1. Criminals smart enough to even understand what this issue is about are probably smart enough to do something useful with their lives

2. Otherwise if they are that smart and still engaged in crime, they're probably involved in major organized crime, in which case they already know (or should know) that wiretaps are a possibility so this brings nothing new to the table.

3. Law enforcement is probably going to notice (at some point) that their systems are getting jacked with and the reaction will not be a mellow one.

Most criminals get caught because they're stupid or lazy. Most smart criminals get caught because they got careless and made mistakes. Neither of these two things are likely to change anytime soon so I suspect that law enforcement will continue to be able to easily catch most criminals without employing fancy CSI zoom-enhance techniques.

Re:Major problems (1)

PPH (736903) | more than 4 years ago | (#30083028)

3. Law enforcement is probably going to notice (at some point) that their systems are getting jacked with and the reaction will not be a mellow one.

Or they are going to switch to a more capable technology.

If you suspect that law enforcement is monitoring you, the best thing you can do is to make them think that their tap is in place and working just fine. Then you use an alternate communications channel. That keeps them busy listening to your calls about picking up a gallon of milk on the way home, or taking the kids to soccer practice. Instead of putting in a better bug.

Re: (1)

clint999 (1277046) | more than 4 years ago | (#30081834)

I've seen supposed wiretap transcripts on news sites and such that I guess were released during the trial. Most of the time the criminals ARE using code words, it's just, you know, not real hard to figure out that your terror suspects aren't really opening a hair salon, and therefore probably aren't ordering 300 'bottles' of 'conditioner' that are 'guaranteed to go off'.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>