Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

80% of Cell Phone Encryption Solutions Insecure

timothy posted more than 4 years ago | from the nsa-working-on-the-rest dept.

Encryption 158

An anonymous reader writes "Mobile Magazine writes about a blogger named Notrax who has tested 15 methods of secure encryption for mobile phones; out of those he found only 3 could not be cracked at some level. '12 of them were "worthless." It's easy to take the software at face value when it "tells you" that the call is secured. But how does someone actually go about being sure that it is secured? Notrax did some digging and discovered he could break in to almost all of them in under 30 minutes.'" (Above link is to a slightly older description of Notrax's approach; then, it was 9 out of 10 products that were worthless, instead of 12 out of 15.)

cancel ×

158 comments

Sorry! There are no comments related to the filter you selected.

yeah, i can hear you now. (2, Funny)

Anonymous Coward | more than 4 years ago | (#30943360)

yeah, i can hear you now.

Re:yeah, i can hear you now. (1, Funny)

Anonymous Coward | more than 4 years ago | (#30943390)

WHAT? SPEAK UP!

Re:yeah, i can hear you now. (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30943554)

Big. Black. Bold. Yes. Now you are learning to be as manly as the NIGGER.

Look at me when I'm speaking to you! Are you disgusted with me, or are you just too much of a chickenshit to look me in the eye?

Re:yeah, i can hear you now. (0)

Anonymous Coward | more than 4 years ago | (#30943858)

Just curious. Is this always the same person? I guess we'll never know.

No, it's not (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30944210)

You fucking retarded id10t. Everyone knows that the ACs who post nigger trolls are really all registered users with Excellent karma. /. is our community. We make it and we break it. Ying and Yang.

BTW, your daughter loves having apeman jizz lovingly squeezed from a massive uncut cock into her pretty little mouth. XD

Pointless (1)

oldhack (1037484) | more than 4 years ago | (#30943372)

The way people shout into their phones, you can hear what they say a mile away.

What's that? (2, Interesting)

Anonymous Coward | more than 4 years ago | (#30943412)

Oh, a lock just keeps an honest man honest?

What else is new?

Re:What's that? (4, Funny)

MachDelta (704883) | more than 4 years ago | (#30944320)

Honest men can be found everywhere.

Honest politicians? SETI is still working on that one.

blah blah "don't attack the encryption" (1)

FooAtWFU (699187) | more than 4 years ago | (#30944476)

Blah blah don't attack the encryption; attack how it's used! blah.

Backdoors != news (0)

Anonymous Coward | more than 4 years ago | (#30943430)

Are you honestly surprised by this news? Having backdoors in cell phones is a de facto legal requirement for cell phone manufacturers.

Re:Backdoors != news (4, Interesting)

Anonymous Coward | more than 4 years ago | (#30943666)

Absolutely correct.

I happen to know that there are simple software/hardware hacks/backdoors on 98% of phones in existence. All of these are built in by the manufacturers at our behest - 'our' being NSA, MI6, CIA, ASIO and DSD of Australia.

Don't trust any technology or hardware that you don't have complete and unhindered access to. I'm telling you now, I've seen records pulled up on people for things that the above mentioned agencies should never have had access to - things regular plebs wouldn't have believed possible to monitor. Those fellows will get records down to every time you've gone to the toilet - its that scary.

Re:Backdoors != news (2, Interesting)

morgan_greywolf (835522) | more than 4 years ago | (#30944110)

Don't trust any technology or hardware that you don't have complete and unhindered access to. I'm telling you now, I've seen records pulled up on people for things that the above mentioned agencies should never have had access to - things regular plebs wouldn't have believed possible to monitor. Those fellows will get records down to every time you've gone to the toilet - its that scary.

Corollary: any encryption technology that you need to rely on should be open source and well-understood. The hardware you use it on should be completely open and you should understand how things work on that hardware. Even better if you have compiled that code yourself.

And if you think it's only the cell manufacturers that have sold out, you are sadly, sadly mistaken.

Read the parent. Carefully. He knows what he's talking about.

Re:Backdoors != news (3, Insightful)

sexconker (1179573) | more than 4 years ago | (#30944174)

Corollary: any encryption technology that you need to rely on should be open source and well-understood. The hardware you use it on should be completely open and you should understand how things work on that hardware. Even better if you have compiled that code yourself.

Oh fuck off.
I suppose you wrote the compiler too?
I suppose to used an electron microscope and scanned every fucking bit of your CPU and memory and such?

If you want to be fucking paranoid, be paranoid all the way.
Don't use paranoia FUD to push your FOSS agenda.

While it's true that there's shit they can do, it's also true that there's NOTHING you can do about it. FOSS cloak or not.

Re:Backdoors != news (0, Interesting)

Anonymous Coward | more than 4 years ago | (#30944478)

Untrue. There most certainly is things you can do about it. Open hardware and open software do give an assurance. An open compiler is important too. BUT, these things are largely useless unless you have an open community that is scrutinizing them. It is far too big a workload to do anything but a small project without this community support.

You will find that your hardcore hacking circles do all this on their own. They have open hardware and their own software - right down to the kernel. One thing I've learnt very quickly is that if you're using an OS that you know the name of, then its highly likely to not be safe/secure - that goes for Linux to a large extent too.

Interesting anecdote: cyber warfare is a lot bigger than people realize. When I say this, I mean, "cold war" style stuff has been going on for decades. Mathematical geniuses, engineering geniuses and brilliant hackers are almost a trade for these agencies. I've seen people from Israel, Iran, England, Australia, Canada, Germany and China all working in the one place on incredibly sensitive cyber-espionage for the one country - these people take the highest bidder. It isn't about loyalty to a country, its about getting the smartest on-board for the big boys games. True, there is a lot of suspicion and monitoring going on, and thats why its such a dangerous game.

We've been hearing about cyber-attacks in the news, but thats just the blundering, fumbling governments getting involved. The real stuff never gets reported.

Re:Backdoors != news (1)

clesters (793568) | more than 4 years ago | (#30944856)

> I've seen people from Israel, Iran, England, Australia, Canada, Germany and China all working in the one place on incredibly sensitive cyber espionage for the one country

Sure you did kid...

How about you stop making comments on Slashdot and go back to your Intro to Information Tech class.

Re:Backdoors != news (3, Funny)

Narnie (1349029) | more than 4 years ago | (#30945140)

Yeah, I've seen that too, but I can't remember the name of the movie.

Re:Backdoors != news (0)

Anonymous Coward | more than 4 years ago | (#30944962)

That's a false dichotomy. Just because you can't be 100% secure doesn't mean you should put at least some effort.

If you get rid of all low hanging fruit and make it expensive for attackers, then you've considerably decreased the threat to yourself.

Would you rather leave all your stuff unencrypted or use obsolete DES. Even if DES can be cracked, it definitely decreases the number of capable attackers.
Some security is better than none at all.

Anger issues eh? (2, Interesting)

ComeTheDay (1732424) | more than 4 years ago | (#30945434)

You are at best uninformed and extremely hostile. Having problems installing linux huh?

Quit getting your information from Fox news and start checking out sites like the BBC and Al-Jazeera...or better yet read "The Shadow Factory" by James Bamford...the writer who broke the story about the existence of the NSA.

He painfully details the COMPLETE monitoring of all domestic and international landline, voip, sms/mms and e-mail communications...and all references are sourced by actual newspaper articles, journals or conference talks.

I know what you're going to say next...that you have nothing to hide. While I'm sure the feds could care less that you bought nunchakus over the web, once this monitoring capability trickles down to the state and local level this will be a valid concern.

Say you're a lawyer...forget about client-confidentality. Running for AG? Well the current attorney general will spy on you and get dirt on your affairs, pot consumption or whatever else he can use to KEEP HIMSELF IN POWER.

Local police will be free to use the same systems to keep cities in check, etc.

Due to the complexities of current laws (CA are you listening?) the average citizen commits several felonies a year without realizing it.

Your arguments are horseshit...

Re:Backdoors != news (4, Insightful)

s4ltyd0g (452701) | more than 4 years ago | (#30944410)

They wont waste time hacking your phone. They have a legal intercept box in the server room. No need for back doors on the phone.

Re:Backdoors != news (0)

Anonymous Coward | more than 4 years ago | (#30945004)

The 'legal intercept box' only does phone calls, texting and internet usage - it most certainly does not give them access to the contents of the phone.

Re:Backdoors != news (0)

Anonymous Coward | more than 4 years ago | (#30945040)

You have a fundamental misunderstanding: Server backdoor != client backdoor. Sure, a backdoored server enables MITM interception and lots more besides. But that's certainly not enough. There are situations that require client-side backdoors because the functionality is impossible or undesirable to implement server side. These relate to real-time use of the interesting types of sensors found in most modern cell phones. Data are locally stored, and later retrieved.

Re:backbone intercept (1)

Dare nMc (468959) | more than 4 years ago | (#30945376)

All these applications must run on the phones at both ends of the call, so recording it in the middle would be largely of no use if the exchange of keys was secure and the encryption was up to standard (256-bit AES). And The author acknowledged he couldn't break that encryption (and only speculated this was feasible with a distributed computing network.)
Hacking the device is the low hanging fruit was the point. Seams only A backdoor for the NSA/etc, in these applications would change that.

Re:backbone intercept (1)

Antique Geekmeister (740220) | more than 4 years ago | (#30945796)

That seeems nonsensical. Each phone has both input (at the microphone) and output (at the speaker), so it certainly has access to unencrypted access to both sides of the phone call.

The trivial backdoors for the NSA would seem to be in the server rooms, not the phones themselves, and have been for years as demonstrated by the AT&T fiber-optic taps.

Re:Backdoors != news (0)

Anonymous Coward | more than 4 years ago | (#30946360)

They have always scared this hell out of me. I think it's those black suits and silent black helicopters.

Re:Backdoors != news (1)

geekmux (1040042) | more than 4 years ago | (#30944840)

Read the parent. Carefully. He knows what he's talking about.

Well, he ought to. The infamous AC probably has more posts here than all of us combined.

Re:Backdoors != news (1)

geekmux (1040042) | more than 4 years ago | (#30944814)

...Those fellows will get records down to every time you've gone to the toilet - its that scary.

Boy, just when you thought that they didn't give a shit...Apparently, they DO give a shit, especially about your shit. Maybe even everyone's shit.

And apparently, if you give a shit about your shit, well that's just a sick fetish. But when the Government starts wanting to know about your shit, well, that my friends is warfighting for the sake of anti-terrorism. Weapons of Ass Destruction indeed.

OK, OK, done with this shit for now...

Re:Backdoors != news (1)

russotto (537200) | more than 4 years ago | (#30945256)

I happen to know that there are simple software/hardware hacks/backdoors on 98% of phones in existence. All of these are built in by the manufacturers at our behest - 'our' being NSA, MI6, CIA, ASIO and DSD of Australia.

Doubt it. Too many people would know about it; not only too many phone company employees, but others; do you think no one has reverse-engineered a phone?

Many phones can take firmware updates over the air, and that can be used to put backdoors in the phones; I believe Verizon has said it has done so at the behest of the FBI in at least one case. But putting a backdoor in every phone out there is just asking for the backdoor to be discovered.

Re:Backdoors != news (0)

Anonymous Coward | more than 4 years ago | (#30946182)

I happen to know that there are simple software/hardware hacks/backdoors on 98% of phones in existence. All of these are built in by the manufacturers at our behest - 'our' being NSA, MI6, CIA, ASIO and DSD of Australia.

I happen to work as a security firmware developer for a major phone manufacturer (and we make way more than 2% of phones in existence). We don't put in backdoors. We can't break into them ourselves. It makes it a real pain to debug. You're a moron.

Nothing to see here, move along (5, Insightful)

johndoe42 (179131) | more than 4 years ago | (#30943440)

News flash: if someone installs a trojan on your phone, then encrypting your call is insecure.

No sh*t. Don't let people install trojans on your phone.

Re:Nothing to see here, move along (2, Insightful)

Third Position (1725934) | more than 4 years ago | (#30943704)

I concluded long ago that all electronic communications are by definition insecure. If what you're communicating is really that private, say it in person or use the post office. Other than that, don't be surprised when you find out your private information, isn't.

Re:Nothing to see here, move along (0)

Anonymous Coward | more than 4 years ago | (#30944032)

The post office, eh? I guess then the CIA program of intercepting mail and scanning it at USPS depots wouldn't concern you a bit?

No such thing as "secure" (2, Insightful)

fm6 (162816) | more than 4 years ago | (#30946194)

And what if the room is bugged? Possibly by the very software described in the article. So leaving your cellphone outside [mashable.com] helps, but is still no guarantee [diylife.com] .

Your two scenarios of insecure (electronic) and secure (in person) is a false dichotomy. There's no such thing as "secure" or "insecure", just degrees of security. How much communication security do you need? That depends on how badly you want privacy — and how badly somebody else wants to deprive you of it.

The real lesson here is the one Bruce Schneier keeps trying to teach (with little success, it seems): security is a process, not a product. If you're worried about somebody listening in, look for weak points in the channel. Don't try to find a magic 128-bit shield at Radio Shack.

Re:Nothing to see here, move along (0)

girlintraining (1395911) | more than 4 years ago | (#30944318)

No sh*t. Don't let people install trojans on your phone.

You do realize that the cell phone is a slave to the network it connects to, right? Most phones will auto-update their firmware or settings if the network tells it to, and there is usually no way to disable this behavior.

Re:Nothing to see here, move along (1)

EdZ (755139) | more than 4 years ago | (#30944354)

Don't let people install trojans on your phone.

If you know it's a Trojan, then by definition it isn't a Trojan.

Re:Nothing to see here, move along (0)

Anonymous Coward | more than 4 years ago | (#30944364)

That's what she said

Re:Nothing to see here, move along (1, Funny)

Anonymous Coward | more than 4 years ago | (#30944386)

That's the stupidest thing I've heard in a while.

Now that my antivirus found a trojan, it's no longer a trojan?

Re:Nothing to see here, move along (0)

Anonymous Coward | more than 4 years ago | (#30944382)

I think his video gives a lot of food for thought.

It's as if an awesome lock for your house doesn't do much good if there is someone hiding on the inside.

This is a great lesson for my 10 year old.

Re:Nothing to see here, move along (1)

Demonantis (1340557) | more than 4 years ago | (#30945430)

Not very creative remember the old evil maid [slashdot.org] . Same thing people have been preaching about Linux too. Once the person has root access doesn't matter(or sufficient rights). You have been owned.

Don't let people install trojans?? (0, Redundant)

hAckz0r (989977) | more than 4 years ago | (#30945466)

When dealing with somebody that knows what they are doing, and any major brand smart phone, it takes less than 15 seconds to r00t your phone and start to upload custom software. No 'trojan' required. All that is needed is to know your phones IP address at any point that you are online transferring data (e.g email, web, photo transfers, etc). It only takes 15 seconds, just once, and your phone no longer belongs to you. Security on the current cell phone hardware and OS's are just an after thought.

Even a novice with a little cash can purchase software, and if given physical access for 10 minutes, will own your phone. They will have access to all the data stored on it, your photos, your CC numbers, email, phone logs, and possibly even know where you are if you have a built in GPS on the phone. I have seen where the contents of the phone are compressed into an alternate stream of data in an MPEG4 video file and off loaded across the carrier network. If you think someone around you might be untrustworthy you might want to check your itemized billing records if you can get your hands on them. You may see data network usage you don't remember using. You may also notice your battery running low fairly quickly, or your phone getting warm when not in use. All these can be a clue.

30 minutes (1)

Itninja (937614) | more than 4 years ago | (#30943444)

Most of my cell calls are less the 10 minutes long.

Re:30 minutes (1)

OldeTimeGeek (725417) | more than 4 years ago | (#30945344)

You have a Treo 680, don't you?

The solution (2, Funny)

ascari (1400977) | more than 4 years ago | (#30943464)

Earlyclay itway isway upway otay ethay userway otay useway omesay otherway ormfay ofway obfuscationway

Re:The solution (1)

some_guy_88 (1306769) | more than 4 years ago | (#30943608)

Isn't it illegal in a lot of places to encrypt your own voice?

Re:The solution (0)

Anonymous Coward | more than 4 years ago | (#30943620)

Note secure enough: Clearly it is up to the user to use some other form of obfuscation.

We'll need another approach.

Re:The solution (0)

Anonymous Coward | more than 4 years ago | (#30943958)

You sir, are a genius

Re:The solution (0)

Anonymous Coward | more than 4 years ago | (#30943976)

V fcrnx va ebg 13. Gbgny frphevgl.

Re:The solution (4, Funny)

sexconker (1179573) | more than 4 years ago | (#30944190)

V fcrnx va ebg 13. Gbgny frphevgl.

My mother's a frphevgl, you insensitive khdfsji!

Re:The solution (1)

mister_playboy (1474163) | more than 4 years ago | (#30944280)

I spiem mn rot 13. Totem sigurmtc.

Lfl errq kf mfib fe mfli EBG 13 jbvccj.

Re:The solution (1)

mister_playboy (1474163) | more than 4 years ago | (#30944394)

Terminal fail.

I speak in rot 13. Total security.

Lbh arrq gb jbex ba lbhe EBG 13 fxvyyf.

I Don't Trust Wireless In General (2, Insightful)

smpoole7 (1467717) | more than 4 years ago | (#30943476)

Call me paranoid, but I don't. Even wireless networks with WPA2. Too many ways they can be spoofed, or cracked, or hacked, or man-in-the-middle'd. But that's just me.

Re:I Don't Trust Wireless In General (1)

socceroos (1374367) | more than 4 years ago | (#30943702)

WPA2 makes it difficult to crack wireless encryption. But thats not where the weak link is.

The fact is, built in hardware backdoors and software backdoors allow those in the know to completely walk around the encryption being used. This is where the real issue is.

Re:I Don't Trust Wireless In General (1)

sexconker (1179573) | more than 4 years ago | (#30944218)

WPA2 makes it difficult to crack wireless encryption. But thats not where the weak link is.

The fact is, built in hardware backdoors and software backdoors allow those in the know to completely walk around the encryption being used. This is where the real issue is.

Do they have backdoors that make the range extend beyond 6 feet and the throughput go higher than 1 MB/sec?

Re:I Don't Trust Wireless In General (1)

Narnie (1349029) | more than 4 years ago | (#30945204)

100ft patch cable plugged into the back of the router.
True paranoids check for new wired connections before transmitting data on their network. Always check for spooks lurking on your nets and sneaking in your tinfoil abode.

Re:I Don't Trust Wireless In General (2, Insightful)

maxume (22995) | more than 4 years ago | (#30943744)

At the moment, if you have needs that WPA2 doesn't meet, you probably need to worry about Van Eck phreaking too.

The most important question is not whether you are being paranoid, it is whether you are being paranoid enough.

Re:I Don't Trust Wireless In General (1)

FooAtWFU (699187) | more than 4 years ago | (#30943754)

You think that's bad? Wait until you hear about Van Eck phreaking.

Re:I Don't Trust Wireless In General (1)

Third Position (1725934) | more than 4 years ago | (#30943776)

Why trust any electronic medium? I felt the same way about POTS at least as far back as 1972. Wire-tapping was probably invented the day after the telephone was.

Re:I Don't Trust Wireless In General (2, Informative)

MichaelSmith (789609) | more than 4 years ago | (#30944040)

I don't have any security at all on my wireless network but any traffic I want to protect goes through ssh on all the networks I want to use.

Re:I Don't Trust Wireless In General (4, Insightful)

BitZtream (692029) | more than 4 years ago | (#30945418)

Okay, you're paranoid. And delusional.

The most important fact is that no one actually gives a shit about your phone calls so even if they could listen to every word any time they wanted to, it still wouldn't matter. The sooner you realize you aren't that special, the sooner your paranoia will go away.

I speak in code (3, Funny)

Monkeedude1212 (1560403) | more than 4 years ago | (#30943482)

It's so efficient, not even my recipient can make out what I mean.

The Missile from France went down my pants, so I need you to dance and prance
"Are you breaking up with me?"

Re:I speak in code (2, Informative)

ascari (1400977) | more than 4 years ago | (#30943876)

The Missile from France went down my pants, so I need you to dance and prance

Translation: "Dear Susan, My new room mate Jean Claude has shown me aspects of myself that I wasn't aware of before. Please don't pine for me. Go out, have some fun and maybe you meet somebody who can appreciate you in a way I cannot anymore."

Re:I speak in code (0)

Anonymous Coward | more than 4 years ago | (#30944096)

I like a good, one-time encrypting hash function.

btv tpw rmm nbs fep amy zyb qcp epp lpn lrs qhy nnt hvs nhr mzr lxj rwf rgb rfi fav hgv irc oub exg mcv qmc ltp rwz mhh alv xdz whz ovx rfx tre ith hif vci egq ghl ywg qdt rcy tcr pdu tmp rnr rmn kci jst qie vfp cay ese ynu quf jik gew ljw kbt fup xeu hfb lis nbc vtb mdy zph vkp jee hgr lyy dsj zyu mmn xgm pqp mpi uks gwa fjq hbx qyn lic zjw isb oqb vbh quj eaa fpm smn ndq zdr vhe nmw hwy rmh lty

The meaning is dubious, but there is an advantage in ambiguity.

And plausible deniability is built right in... Who the fuck knows?

Re:I speak in code (0)

Anonymous Coward | more than 4 years ago | (#30944300)

sounds like you should try a career at xkcd.

Re:I speak in code (1)

izomiac (815208) | more than 4 years ago | (#30944340)

That's you? Well, what do you expect when your cellphone doesn't even broadcast on the right frequencies [wikipedia.org] ...

Sure, if you install the spy software. (4, Funny)

InlawBiker (1124825) | more than 4 years ago | (#30943516)

This tactic requires you to install software on the target's phone without their knowledge. That doesn't render the encryption faulty, it's just stealing the voice signal before it gets encrypted. I like this part from the vendor's web site: "$PRODUCT_NAME for iPhone is professional grade spy phone software that takes minutes to install on a jailbroken iPhone, and instantly starts sending data to a secure web account where you can log in and view records..."

Misleading article (5, Insightful)

badboy_tw2002 (524611) | more than 4 years ago | (#30943538)

This guy didn't break any encryption. He admitted up front he couldn't, except for some vague handwavy stuff about distributed brute force key attacks. Instead, he installed a trojan on the phone that records the phone conversation. He didn't even write the trojan. The awesome software he couldn't crack (the "20%") were "secure" because it was either different hardware his cool program didn't work for, or some older gear the program didn't run on. Phew! I'll make sure to buy those now that I know they're air tight.

Came for a cool story about breaking over the air phone encryption but all I got was a script kiddie installing software and making grand pronouncements to get pageviews.

Re:Misleading article (1)

data2 (1382587) | more than 4 years ago | (#30943812)

I was kind of expecting the same ol' "We creating our own encryption" thing, and was prepared to post exactly this. Thanks for sparing me to RTFA

Re:Misleading article (5, Insightful)

PybusJ (30549) | more than 4 years ago | (#30943914)

In my opinion this whole this is a marketing scam for one of the products mentioned. The things that make me suspicious:

- "Blogger, hacker and IT security expert Notrax" 's infosecurityguard blog was started in Dec 2009, just before he started his ambitious series of security reviews.

- There are no details of who he is "for his own safety"

- He calls the systems he's failed to break "secure" and highlights them in reassuring green to attract you attention (only admitting in the small print that he means he hasn't broken them yet). This is not the kind of language security researchers use.

- Most of the the products are "details to be published", including respected software such as Zphone/ZRTP. Just one shines out as both "secure" and "review available". That miracle product is PhoneCrypt. Oooh, I must click on that review now -- oh look at that glowing prose.

"SecurStar is the company behind PhoneCrypt." Now I wonder what relation our mysterious, benevolent friend Notrax has to SecurStar.

To me all the smells lead to a fake marketing blog. Nice story /.

Yep... (2, Insightful)

msauve (701917) | more than 4 years ago | (#30944834)

and if it weren't for the summary here, you'd have no way of knowing that WTF he was reviewing. His article references "Voice Encryption," but nowhere does it mention that he's talking about software interception of cellular or mobile phones. From his description of Flexispy - "simply tap the microphone and it can be used in a wiretap mode to listen in to an active phone conversation or simply as a remote electronic bug for proximity eavesdropping" one might think that it's a hardware solution which wiretaps into the microphone. It's not. There is no "wiretap."

Just 80%? (2, Insightful)

Weirsbaski (585954) | more than 4 years ago | (#30943574)

100% of encryption is insecure, if you throw enough resources into breaking it. The real question is how much effort is put into the encryption (both human-hours developing the system, and cpu-cycles doing the math) vs how much effort the attacker can/will put into breaking it.

I'm guessing PhoneCrypt (just to pick one from tfa) is breakable if Eve has enough resources to spend, and is willing to spend them.

Re:Just 80%? (0)

Anonymous Coward | more than 4 years ago | (#30943770)

Hate to break it to you, but I can implement a cryptosystem that no supercomputer now, or ever invented is or will be capable of cracking through brute force if I can get my hands upon a sufficient source of entropy and a good key distribution channel. Period.

I think--you do not understand crypto as well as you think you do. Substitution ciphers--they work when used with a keylength at least as large as the plaintext.

Re:Just 80%? (0)

sexconker (1179573) | more than 4 years ago | (#30944290)

Hate to break it to you, but I can implement a cryptosystem that no supercomputer now, or ever invented is or will be capable of cracking through brute force if I can get my hands upon a sufficient source of entropy and a good key distribution channel. Period.

Good luck finding a good key-distribution system.
There is no such thing as a secure distribution system, and there never will be.

If some terrorist planted a nuke in New York and the government had to decrypt some files to find out where the fuck it was, you can bet your ass that shit would be decrypted within the hour.

Besides brute force includes torture.
(And yes, torture is effective. Very, very effective. And no, water boarding is not torture.)

Re:Just 80%? (2, Funny)

Bengie (1121981) | more than 4 years ago | (#30944798)

It would take more energy to break a current day 256bit symmetric key than there is usable energy in our galaxy. A near perfect 256bit would require you breaking down all of the stars in the universe into pure energy to break one key. Have fun.

but yes, human factor. ignore the key all together.

Re:Just 80%? (1)

TubeSteak (669689) | more than 4 years ago | (#30946430)

It would take more energy to break a current day 256bit symmetric key than there is usable energy in our galaxy. A near perfect 256bit would require you breaking down all of the stars in the universe into pure energy to break one key. Have fun.

You could always get lucky and break the key on your 42nd try.

Re:Just 80%? (1)

Bengie (1121981) | more than 4 years ago | (#30944450)

serpent 256? :p

Re:Just 80%? (0)

Anonymous Coward | more than 4 years ago | (#30943952)

Hmmm.

99% of encryption is breakable. The other 1% is a one-time pad.

And he didn't break any encryption.

Re:Just 80%? (1)

QuantumRiff (120817) | more than 4 years ago | (#30944392)

Honestly, its alot easier to break the person, than it is the encryption... People are weak, just go all Jack Bauer on them, they will talk.

Re:Just 80%? (0)

Anonymous Coward | more than 4 years ago | (#30944686)

100% of public encryption (including AES) is insecure, not because you may throw tonnes of resources at it, but because they all have built in back-doors.

Agh, I know it sounds so completely laughably paranoid and retarded, but its fracking true. Just ask anyone with a TS PV clearance at DSD.

Re:Just 80%? (0)

Anonymous Coward | more than 4 years ago | (#30945594)

http://en.wikipedia.org/wiki/One-time_pad

mo3 *up (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30943624)

Have their moments O*UT%ER SPACE THE

Use one-time pads, with text messages . . . (1)

PolygamousRanchKid (1290638) | more than 4 years ago | (#30943788)

http://en.wikipedia.org/wiki/One_time_pad

One-time pad encoded messages look like total gibberish.

People eavesdropping on you, will think that you are just sending Twitter messages . . . total gibberish . . .

Re:Use one-time pads, with text messages . . . (2, Interesting)

MichaelSmith (789609) | more than 4 years ago | (#30944120)

But how do you securely distribute the pad? Even air transport is not secure these days, unless you have diplomatic immunity against searches.

Re:Use one-time pads, with text messages . . . (1)

maxume (22995) | more than 4 years ago | (#30944674)

For what value of guaranteed? If you get on a plane with a CDR full of data, you should be able to know whether someone accesses it or not.

Re:Use one-time pads, with text messages . . . (0)

Anonymous Coward | more than 4 years ago | (#30946266)

Exactly, what all these "OTP is not practical, ha ha" ignore is the fact that you can drop any compromised key.

- Vat are you doing vis all zis random data?
- You can keep it
- Ja

Just in case, keep a (legal) porn DVD-image encrypted with the yet to be delivered key just in case they think you are carrying interesting encrypted data and try to rubber-hose you. "The wife hates porn har har"

Use comrades that are willing to die for the cause but are intelligent enough to avoid being noticed.

Victory

100% of linux fagboys are insecure (0)

Anonymous Coward | more than 4 years ago | (#30943810)

don't worry linux fags. you're still not as bad as that dick smokers over at the apple camp.

Pfft, call that a hack (0)

Anonymous Coward | more than 4 years ago | (#30943816)

IMHO people should use malware / potentially unwanted program PoP and anti-virus software on their phones, problem solved.

I can't help but wonder which of the 3 remaining vendors Notrax was paid by to 'hack' the other ones...

Obligatory XKCD (1)

data2 (1382587) | more than 4 years ago | (#30943862)

As the title says.

Oblig: http://xkcd.com/257/ [xkcd.com] [xkcd.com]

Nice try, Notrax... (1)

zullnero (833754) | more than 4 years ago | (#30943874)

He might be able to trick someone into throwing a huge amount of money his direction because he proved something everyone knew already, using techniques that really don't prove all that much more than you can get a trojan on a phone, but most folks aren't buying it. The majority of software solutions for mobile devices tend towards being focused on blocking the "casual" hacker, for example, the friend who picks up your phone when you leave it out somewhere, or the phone you left in the coffee shop that the stranger who finds it might have something interesting on it (or might be good for some calls). That takes into account the typical use-case scenarios for a mobile device. Of course that stuff isn't going to block a trojan, because that comes down to the OS running on that phone having enough built in security to make it difficult for it to gain root access, or a virus scanner that runs on that phone (which is painfully hard on your battery life, and most people avoid that solution altogether) that keeps itself properly updated at all times.

Selling point (0)

Anonymous Coward | more than 4 years ago | (#30943920)

> then, it was 9 out of 10 products that were worthless, instead of 12 out of 15.)

So it's an improvement, right?

What good would 'security' be anyway (2, Interesting)

dontmakemethink (1186169) | more than 4 years ago | (#30943978)

So what if some geek listens in on my phone calls as they're recorded by big brother. I'm not dumb enough to say anything I want to keep private over a cel phone anyway. And I'm not even a drug dealer.

Highly fishy story... (0)

Anonymous Coward | more than 4 years ago | (#30944070)

So we have a hacker that noone has heard from before, who uses a very obvious method (installing a local trojan by having physical access to a phone) and magically, the only product who detects that trojan happens to be made by someone who has been trying to sell a "cellphone trojan remover" before. The guy is named Winfried Hafner. And his company happens to have a nice PR agency lined up to point all the tech journals to that freshly set up blog of this cool hacker who is so much in love with his product. Google Winfried Hafner and Trojans, the whole thing smells of rotten fish...

WORST. ARTICLE. EVER (3, Interesting)

GNUALMAFUERTE (697061) | more than 4 years ago | (#30944288)

I just posted the following comment on this asshole's website:

Your article is totally misleading.

You say that you managed to prove those products insecure.

Well, YOU DIDN'T. The intention of all the products you mentioned is to provide encryption
to protect you from someone intercepting your phone call. You didn't test any of this.
You just directly accessed the mic on the cellphone. Well, off course you'll get the audio!!

A little analogous situation to better explain what you did:

I will prove that this high security reinforced door is totally insecure. I'll get in the house through
the window. Oh No! It worked, I'm inside the house and I didn't even touch the door! Those doors
are Insecure!

That's exactly what you did. Those systems encrypt your voice. Your call is secure from interception.
If you knew anything about security, you would know this: Physical access is total access.

You had PHYSICAL access to the phone. Well, off course you where able to "crack" it. Guess what?
You could have manually connected the mic cables to an mp3 recorder for all I cared.

It's like saying "I am going to prove that this OpenBSD-based firewall is insecure, but connecting
to the machines behind the firewall with this directly with this ethernet crossover cable".

So, are you really that naive, or you have financial interests in some phone crypto technology?

Re:WORST. ARTICLE. EVER (0)

Anonymous Coward | more than 4 years ago | (#30944530)

Were? I can't find it.

why (0)

Anonymous Coward | more than 4 years ago | (#30944296)

Such a lame article. Wow.

80% is actually pretty good! (1)

amRadioHed (463061) | more than 4 years ago | (#30944312)

That's a full 10% better than Sturgen's Law predicts.

Well... (0)

Anonymous Coward | more than 4 years ago | (#30944346)

Then they're not really solutions, are they?

oh noes! (1)

stokessd (89903) | more than 4 years ago | (#30944356)

So somebody could go to a lot of trouble to listen to me talk with one of my geek friends about the iPad or brazing bicycle frames, or audio design or some other totally boring topic that if it was at all interesting would show up on the net somewhere already. Lord help them if they want to listen in to a conversation with my or my wife's parents. I'd be bummed if I went to that much trouble for so little return.

Sheldon

more feasible to break encryption? (2, Interesting)

Eil (82413) | more than 4 years ago | (#30944556)

I'm not sure how much faith I have in this guy as a "security expert" when this is the second paragraph in TFA:

Well I knew I would not likely be able to break any encryption algorithms such as 256-bit AES which seemed to be the standard among the vendors. Although based on some research studies, distributed computing is making it more feasible to break encryption.

He comes within a whisker of implying that AES-256 will be breakable by distributed computing at some point.

They can't know! (3, Insightful)

nate nice (672391) | more than 4 years ago | (#30944808)

If anyone knows what I'm putting on my pizza, I'm FUCKED.

So? (0, Troll)

BitZtream (692029) | more than 4 years ago | (#30945400)

Okay, so with the right technology in the hands of the hacker, my cell phone has the same security as the old POTS line running into my house.

Pardon me if I don't freak out about it. For years all I've needed was a handset and a knife and I could listen in on peoples phone calls. This is still harder than that.

Sorry if I'm not concerned about something thats not ever been a problem for me or anyone I've ever known even though it has been trivial to do.

Yes yes, its wireless and its easier to hide, but guess what, once again I have to point out ... NO ONE GIVES A SHIT ABOUT WHAT YOU DO, YOU AREN'T THAT SPECIAL.

Not worthless at all! (1)

fluffy99 (870997) | more than 4 years ago | (#30946314)

Those products are hyped as a means to prevent your calls from being intercepted by a third party. They do indeed protect the call in transit as promised. The flaw being pointed out is that if the endpoints (the phone) are compromised, you can't guarantee the security of the call. Well duh, there's a no brainer. That's like claiming your VPN software isn't secure if someone surreptitiously slipped a keylogger into your computer.

Did anyone else notice that this seems to be an ad for flexispy?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>