Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Secure Communication Comes To Android

kdawson posted more than 4 years ago | from the speak-freely-now dept.

Security 150

An anonymous reader writes "Forbes is reporting that Moxie Marlinspike and Stuart Anderson's startup, Whisper Systems, has released a public beta of two Android applications that provide encrypted call and SMS capabilities for your Android phone. In the wake of recent GSM attacks, it'll be interesting to see if smartphones end up providing a platform that fundamentally changes the security we can expect from mobile communication."

cancel ×

150 comments

Sure it will (2, Funny)

d1r3lnd (1743112) | more than 4 years ago | (#32342710)

Just like encrypted email! Everyone uses that...

Re:Sure it will (2, Informative)

DrSkwid (118965) | more than 4 years ago | (#32342898)

lol, I thought I was about to prove you wrong because I had STARTTLS enabled on our incoming mail server and was surprised to find remote MTAs using it as I'd turned it on to protect our users' outgoing mail authentication.

$ telnet mx1.hotmail.com 25
Trying 65.55.37.120...
Connected to mx1.hotmail.com.
Escape character is '^]'.
220 col0-mc4-f34.Col0.hotmail.com Sending unsolicited commercial or bulk e-mail to Microsoft's computer network is prohibited. Other restrictions are found at http://privacy.msn.com/Anti-spam/ [msn.com] . Violations will result in use of equipment located in California and other states. Tue, 25 May 2010 16:00:36 -0700
helo fuckface
250 col0-mc4-f34.Col0.hotmail.com (3.10.0.73) Hello [85.189.31.174]
starttls
554 Unable to initialize security subsystem
^]

$ telnet gmail-smtp-in.l.google.com 25
Trying 209.85.229.27...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP s4si17050707wbc.88
helo fuzznuts
250 mx.google.com at your service
starttls
502 5.5.1 Unrecognized command. s4si17050707wbc.88
^]

At least someone is security concious, this is Fastmail's smtp - now owned by Opera

% telnet in1.smtp.messagingengine.com 25
Trying 66.111.4.72...
Connected to in1.smtp.messagingengine.com.
Escape character is '^]'.
220 mx3.messagingengine.com ESMTP . No UCE permitted.
helo opera
250 mx3.messagingengine.com
starttls
220 2.0.0 Ready to start TLS
^]

Re:Sure it will (3, Informative)

icebraining (1313345) | more than 4 years ago | (#32343160)

TLS encryption only protects from the client to the server, you have no guarantees about the security of the server-to-server connection nor of the pop/imap server to receiving client. Only message encryption with an OpenPGP implementation or similar can offer that.

But Gmail may not support STARTTLS, but it supports IMAPS, and uses HTTPS by default in the webmail.

Re:Sure it will (2, Informative)

phantomcircuit (938963) | more than 4 years ago | (#32344514)

More importantly gmail does not support S/MIME, which is the widely supported signing/encryption mechanism for email. (although basically nobody uses it).

Re:Sure it will (3, Informative)

rthille (8526) | more than 4 years ago | (#32343560)

Try a valid ehlo, rather than a bogus 'helo fuckface'. Some mail servers won't bother to honor starttls unless they are talking to a conforming server.

Re:Sure it will (3, Informative)

sznupi (719324) | more than 4 years ago | (#32344182)

Plus we can look at the impact done by availability of Zfone/ZRTP (this new encrypted VoIP standard from Phil Zimmermann) for Symbian smartphones (half of all smartphones)

Oh, nobody was aware of its availability? Exactly...

Less useful (3, Informative)

Darkness404 (1287218) | more than 4 years ago | (#32342716)

While interesting, these apps aren't that useful because the other caller would have to be using the same software for it to work which limits it to just a few people using Android with these apps.

Re:Less useful (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32342732)

Because just rewriting the whole GSM spec is done easier than this.

Re:Less useful (4, Interesting)

stephanruby (542433) | more than 4 years ago | (#32342952)

While interesting, these apps aren't that useful because the other caller would have to be using the same software for it to work which limits it to just a few people using Android with these apps.

These apps may not be useful to *you*, but they will certainly be useful to governments, a few companies, and some of the more vigilant/paranoid tin-foil hat wearers among us. In any case, what we need is a free open source solution that does encryption.

The number of Android users is not that big right now, but Android is coming very fast from behind [gartner.com] , and with Google taking 0% of the commissions from their Market/App stores (leaving the entire 30% in perpetuity to the carriers/phone makers), I speculate that Android will really become the #1 dominant platform eventually.

Re:Less useful (1)

nextekcarl (1402899) | more than 4 years ago | (#32343316)

As someone considering an Android device soon, that link was pretty interesting. I wonder if the growth will continue at anything close to that rate?

Re:Less useful (1)

sznupi (719324) | more than 4 years ago | (#32344860)

For most rigorous values of "continue" - of course not ;p

But long term it will surely be one of few major players (add bada OS to that list - Samsung seems to bet heavily on it, with the goal of having very large part of total sales using bada in a year or two; and just look at this total). I must say I prefer such situation way more from what we have on the desktop.

Re:Less useful (0)

Anonymous Coward | more than 4 years ago | (#32344066)

I'm playing with it already :)

Partially because I have an old Peavy amp that has a nasty habit of broadcasting phone calls (fortunately not cell - but definitely several of the local 'wireless' ones)

Re:Less useful (5, Funny)

Civil_Disobedient (261825) | more than 4 years ago | (#32343426)

Uh, so?

You know, telephones aren't terribly useful, either. Because the person on the other end has to have a phone as well. Completely impractical compared to yelling.

Re:Less useful (1)

Darkness404 (1287218) | more than 4 years ago | (#32343460)

Ok, how many people do you know that have Android phones? Heck, most of the people I talk to don't even have smartphones, of those that do only one or two have an Android phone the rest have Windows Mobile or Blackberries.

Re:Less useful (1)

Imagix (695350) | more than 4 years ago | (#32343552)

At least five of my friends have Android phones. Another one with an iPhone, A couple with Blackberries.

Re:Less useful (0, Insightful)

Anonymous Coward | more than 4 years ago | (#32343806)

Get rid of your loser friends... (just saying...)

Re:Less useful (5, Funny)

PopeRatzo (965947) | more than 4 years ago | (#32343986)

Ok, how many people do you know that have Android phones?

Me, my wife, and my daughter.

The reed player in my band (the other three players have iPhones or non-smart phones).

I was at a school board meeting earlier in the month and the soccer mom sitting next to me had a Droid. The kid who lives next door and who has bragged to me that he owns an Xbox, a PS3 and a Wii has an HTC android phone. He says "iPhones are for pussies".

I passed that last part along for informational purposes only. I do not endorse that sentiment in any way, mostly because I wouldn't want some offended iPhone user to give me such a slap.

Re:Less useful (0)

Anonymous Coward | more than 4 years ago | (#32345090)

Wow, that really deserves a +10 Funny

Open standard. (3, Interesting)

Ungrounded Lightning (62228) | more than 4 years ago | (#32343458)

... these apps aren't that useful because the other caller would have to be using the same software for it to work ...

From TFA:

Marlinspike says the apps will interface with users' contact lists and other functions on the phone to take the hassle out of making calls and sending texts that can't be eavesdropped by third parties. ...

RedPhone uses ZRTP, an open source Internet voice cryptography scheme created by Phil Zimmermann, inventor of the widely-used Pretty Good Privacy or PGP encryption. ... [Similarly for the SMS system.]

Looks to me like the product uses defacto-standard encrypted communication tools and integrates them with the phonebook to make their use automatic when calling a contact with whom you can have an encrypted conversation.

So it looks to me like your encrypted communications wouldn't be limited to people using the same android app. You could talk to anybody using the same underlying "standard" scheme.

Re:Less useful (1)

AHuxley (892839) | more than 4 years ago | (#32344096)

Yes like with http://zfoneproject.com/ [zfoneproject.com] you have to set both ends up, but after that its all ok.
This is great news for Android but I feel will make the end users glow. Will the speak want more sneak and peek or demand decryption form the creators.

Re:Less useful (1)

blind biker (1066130) | more than 4 years ago | (#32345284)

While interesting, these apps aren't that useful because the other caller would have to be using the same software for it to work which limits it to just a few people using Android with these apps.

Are you this guy [bayareamotorsport.com] ?

Disappointed that they released w/o source code (1)

Mr. X (17716) | more than 4 years ago | (#32342718)

However, the site claims "we will be making the source available for download and inspection shortly."

Re:Disappointed that they released w/o source code (2, Funny)

phantomcircuit (938963) | more than 4 years ago | (#32343136)

Probably removing all the colorful comments :P

Re:Disappointed that they released w/o source code (1)

DeadPixels (1391907) | more than 4 years ago | (#32343326)

I'm interested in seeing how the key exchange is handled. After all, you can have a great encryption algorithm but if your implementation sucks, it won't do you any good.

What I'm more curious about is why there hasn't been (AFAIK) an app that uses an asymmetric public-key encryption method. The solution from TFA takes the combination of the users' keys to generate a password, but couldn't you easily have a private key stored on the handset itself and a public key to interface with others? Granted, the hurdle there would be things like losing the phone, getting new hardware, etc, but it's still interesting to think about.

This seems like an implementation of Diffie–Hellman key exchange [wikipedia.org] , which is interesting in its own right.

Re:Disappointed that they released w/o source code (4, Informative)

Ungrounded Lightning (62228) | more than 4 years ago | (#32343504)

What I'm more curious about is why there hasn't been (AFAIK) an app that uses an asymmetric public-key encryption method. The solution from TFA takes the combination of the users' keys to generate a password, ...

Public key encryption is crunch intensive - even in the good direction. (It's "effectively impossible" in the "bad" direction, which is the whole point.) Too crunch intensive to be practical when encrypting streams, even with current fast processors.

So it's usually used to generate and exchange a "session key" (and perhaps periodically replace it with a new one) for a symmetric cypher that takes less crunch and is "secure enough" if the amount of material it encrypts is limited.

Re:Disappointed that they released w/o source code (0)

Anonymous Coward | more than 4 years ago | (#32343786)

From the article, it certainly looks like an implementation (or variation) of Diffie-Hellman.

A couple of years ago I implemented something similar for a client. An encrypted MMS application (RSA3072+AES256) in J2ME. MMS because SMS cost $0.20c each here (NZ) and once encrypted, messages bloated out significantly and you could end up paying $1 per message!

Since acquiring a NexusOne, I've been contemplating porting the code across to Android, but haven't got around to it.

I hope they do release source, and even better if they allow contribution - I for one would certainly be interested in doing so.

Re:Disappointed that they released w/o source code (2, Informative)

cool_arrow (881921) | more than 4 years ago | (#32344250)

If I recall correctly zrtp generates ephemeral "one time use" keys via Diffie Hellman key exchange. After the session, the keys are discarded. Also asymmetric encryption is used all the time with PGP/openGPG. I generate a key and encrypt a message to you using relatively speedy symmetric encryption, and then encrypt that key asymmetrically with your public key. I send you the bundled up pgp package. You decrypt the symmetric key with your private key and then decrypt my message. Of course the pgp protocol takes care of the details. At least that's how I think it works anyway.

Slashdotter's rejoice! (1)

ColdWetDog (752185) | more than 4 years ago | (#32342720)

Now everybody's mom can call them to dinner without fear of being overheard by certain Three Letter Agencies.

Re:Slashdotter's rejoice! (3, Insightful)

MichaelSmith (789609) | more than 4 years ago | (#32342734)

Well okay but say you are in Iran or Thailand and you want organize an action against your government. Secure mobile communications would be pretty handy for that.

Re:Slashdotter's rejoice! (3, Insightful)

alx5000 (896642) | more than 4 years ago | (#32342824)

Well, okay, but say you are the government of Iran or Thailand and you don't want anyone to organize anything against you. Outlawing secure mobile communications would be pretty handy for that.

Yes, your message is secure, but without some kind of steganographic method, the fact that you're using encryption is not. And neither are you, for that matter.

Re:Slashdotter's rejoice! (1)

MichaelSmith (789609) | more than 4 years ago | (#32342868)

steganographic method

Thats true. Maybe something which hooks into a picture exchanging site like 4chan. Conceals messages in images so the recipient grabs new images before they go 404.

Re:Slashdotter's rejoice! (0)

Anonymous Coward | more than 4 years ago | (#32343192)

The secure protocol they developed for the text messaging app is actually pretty clever in that there is no simple identifier that can be used to filter through text messages at a nation-wide level to determine which are encrypted.

Re:Slashdotter's rejoice! (1)

Hatta (162192) | more than 4 years ago | (#32343440)

Encrypted data looks like random binary data. Text messages do not. It would be fairly easy to distinguish the two.

Re:Slashdotter's rejoice! (3, Funny)

Sir_Lewk (967686) | more than 4 years ago | (#32344252)

Use your imagination. It is extremely trivial to make encrypted data look like text. Hell, you can even make it look statistically like english. You'd have that character limit thing to worry about, but I believe most phones these days "get around that" by transparently using multiple messages at once.

Re:Slashdotter's rejoice! (2)

sznupi (719324) | more than 4 years ago | (#32344296)

I believe it's either encrypted or looking statistically like text / english. "Texting language" might be of some considerable help, plus perhaps whole words of "texting" used as substitutes for symbols...but that still should be fairly trivial to filter (starting with messages of ungodly length)

Re:Slashdotter's rejoice! (1)

Sir_Lewk (967686) | more than 4 years ago | (#32344900)

Not at all. You first encrypt the message, then you 'encode' it in such a way that it then has english like properties. Your message length of course bloats but it should evade any sort of automated scanning setup. It's basically a form of stenography.

http://www.schneier.com/blog/archives/2010/03/natural_languag.html [schneier.com]

This is just the first link I found, but if you look around a bit you'll find more. Technically this is about disguising code as english, but the concept is very similar. IIRC that paper actually references some other (more relevant) papers itself. It's actually a pretty well established concept.

Re:Slashdotter's rejoice! (2, Informative)

Sir_Lewk (967686) | more than 4 years ago | (#32344922)

Sorry, should have looked a bit more before posting:

http://www.nicetext.com/ [nicetext.com]

Far more relevant link. In particular, note the papers listed in the left column.

Re:Slashdotter's rejoice! (1)

sznupi (719324) | more than 4 years ago | (#32345086)

That's what I said..."whole words of "texting" used as substitutes for symbols". But that still doesn't look like written text, has totally different statistical properties; you...just use a different kind of symbols (after all, each letter in an sms is also not a single bit already)
So (what I also said) "that still should be fairly trivial to filter (starting with messages of ungodly length)"

Re:Slashdotter's rejoice! (1)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#32342844)

I'm guessing that, in the dystopian future, the list of evil governments that would suppress speech but not ban encrypting it will be very short.(for commercial reasons, of course, various sorts of "tame" encryption, useful for keeping criminals out of banking sessions; but transparent to the authorities will be permitted, even encouraged)

It isn't all that hard to hide exactly what you are up to. It is harder to hide that you are hiding something. Any sufficiently evil regime will just make hiding something a crime(and we aren't talking purely theoretical, or confined to the former soviet republic of fascistan. Britain is basically there already.)

Re:Slashdotter's rejoice! (1)

MichaelSmith (789609) | more than 4 years ago | (#32342914)

Any sufficiently evil regime will just make hiding something a crime

Ah yes [telegraph.co.uk]

Re:Slashdotter's rejoice! (1)

EdIII (1114411) | more than 4 years ago | (#32343016)

keeping criminals out of banking sessions; but transparent to the authorities will be permitted, even encouraged

That's demonstrably retarded thinking on behalf of the government. Criminal organizations are always going to be at the forefront of technology in order to achieve their goals.

Criminals today, not the thugs on the street, are pretty savvy. Even the most complex alarm systems are broken into, encryption and systems still have other vulnerabilities and backdoors.

I would be extraordinarily shocked if the government could put together an encryption algorithm to keep out criminals while providing them access. More likely, criminals will purchase access from corrupt government officials. Thank God we don't have too many of those running around right?

It's that old saying, "Outlaw guns and the only people who will be hurt are honest citizens".

Re:Slashdotter's rejoice! (1)

Michael Kristopeit (1751814) | more than 4 years ago | (#32344168)

It's that old saying, "Outlaw guns and the only people who will be hurt are honest citizens"

i thought the saying was "outlaw guns and the only people who will have guns will be outlaws"

Re:Slashdotter's rejoice! (1)

DragonWriter (970822) | more than 4 years ago | (#32343244)

I'm guessing that, in the dystopian future, the list of evil governments that would suppress speech but not ban encrypting it will be very short.

Probably, but encryption is still valuable to the victims of such regimes as one (of several) layers of protection, as the government discovering that you are (illegally or not) concealing information from them is not as useful to the repressive government as finding out the content of the encrypted communication.

Re:Slashdotter's rejoice! (2, Insightful)

sznupi (719324) | more than 4 years ago | (#32344472)

Really repressive governments are very skilled in the techniques of rubber hose cryptoanalisis (well, some of the formally not-repressive ones also are, as long as they can put the encrypted data being analysed in a legal limbo)

Re:Slashdotter's rejoice! (1)

DragonWriter (970822) | more than 4 years ago | (#32345160)

Really repressive governments are very skilled in the techniques of rubber hose cryptoanalisis

More effective, but less repressive, governments know that that method is far better at getting people -- guilty or not -- to confess and implicate a laundry list of "accomplices" -- guilty or not -- than it is at actually revealing what the target actually knows.

Actually, "really repressive" governments are generally aware of that, too, for the most part, though given that loyalty is valued far more than competence in such regimes, there may be some exceptions.

But even leaving that aside, given that repressive regimes will have enemies, and given that those enemies will work against the regime, and given that the regime will devote its energies to identifying them, exposing their secrets, and suppressing them, its better for them to have encryption than not.

Re:Slashdotter's rejoice! (1)

sznupi (719324) | more than 4 years ago | (#32345202)

Uhm, in case of breaking encryption that method usually doesn't have typical downsides. You either know the keys, which is good since you can give them. Or you don't know them...which is not so good for you.

Re:Slashdotter's rejoice! (1)

NotBornYesterday (1093817) | more than 4 years ago | (#32345184)

Oblig xkcd. [xkcd.com]

Re:Slashdotter's rejoice! (0)

maxume (22995) | more than 4 years ago | (#32343412)

Good news: The dystopian future is not coming.

I mean, the United States barely tried to hide the fact that it went fascist/authoritarian during WWI (may require squinting), and Aldus Huxley's writings make much more sense when interpreted as a scathing criticism of actual government eugenics programs during his day than if it is interpreted as a 'warning' about the potential for government to try to control the populace (gee-willikers Batman, the Department of Education insists on a reasonable, factual curriculum, hopefully they don't start rounding people up and sterilizing them!).

Throw in the ever-dropping cost of energy, and we are bound to be back to sticks and stones in a generation or two.

Ever dropping cost of energy? (0, Offtopic)

cdrguru (88047) | more than 4 years ago | (#32343582)

Well, I hate to break it to you, but more than a few people are of the opinion that people in the US and companies should start paying for their impact on the climate, i.e., a carbon tax. Oh, and with that little hiccup in the Gulf they want companies to pay for their potential environmental impact as well. This would be a pre-emptive strike against coal and oil.

Today, that would mean $10 a gallon gasoline and similarly doubling or tripling the cost of coal.

I suspect it will be a difficult measure to pass, but it is very likely to do so in the near future. Certainly Obama is on the side of a carbon tax.

Considering we haven't built a big power plant in decades and are on the edges of running out of electric power, I don't see this getting any cheaper anytime soon either. There are proposals to build new nuclear plants, but they will likely sit for years and years as the environmental battles go on and on. Even if we pushed the environmentalists out of the way it would be 10 years before a large plant came online.

I keep hearing about building new transmission lines to improve the grid? Where? Maybe in the middle of Montana or in Death Valley. I know anyone proposing building such a thing near a populated area is just being stupid - every such proposal lately has been shot down. This is why they are thinking of building a new transmission line through a lake because there are no homes at the bottom of the lake.

We are likely to see rationing of electricity within the next few years. Transportation is going to get a lot more expensive and this will push the price of everything up. It might make cheap stuff from China impractical to ship to the US which would be a net benefit, but it will also make farm goods from the state next door much more expensive.

Re:Ever dropping cost of energy? (1)

maxume (22995) | more than 4 years ago | (#32343714)

If a tariff makes coal triple in cost, wind and nuclear start looking pretty okay.

And if you think that rationing and massive price increases will not put a damper on NIMBY, you're nuts.

As for the rest of your 'analysis', Watts Bar seems to count as major:

http://en.wikipedia.org/wiki/Watts_Bar_Nuclear_Generating_Station [wikipedia.org]

I suppose the fact that they started it 35 years ago takes away from the fact that they brought it online 15 years ago. Never mind that attitudes have shifted enough that they are going to complete the other half in a few years.

Also, people currently spend more money driving to the damn grocery store than it costs to ship stuff thousands of miles, I wouldn't worry about getting stuff from the next state over (so, each pound of food consumes way more energy in your car than it consumes in the semi/cargo ship. For example, b-a--n-a--n-a-s are practically free at my grocer.).

And then there is the whole thing where petroleum prices over ~$120 are obviously unsustainable (We have real life experience of this, from a couple years ago. Also, much of the $10 a gallon that you are fear-mongering about would be going to the gub'mint, to subsidize other transportation options and such).

The worst thing you are doing is assuming that investors in power companies (which are generally regulated in a way that the return on investment is okay, but not great) would want to put massive amounts of capital into having a bunch of extra power generation sitting offline, rather than trying to maximize the return on the capital that they have already invested.

Re:Ever dropping cost of energy? (1)

dgatwood (11270) | more than 4 years ago | (#32343804)

I'm okay with $10 per gallon gasoline under two conditions:

  • every PENNY of those $7 in taxes must be given out in the form of research grants to companies and universities working on developing alternative energy technologies.
  • every single patent resulting out of those grants must belong to the U.S. government and must be freely licensed to any U.S. company that wants to produce such a product under the condition that the products be manufactured in the U.S.

As long as that money actually goes towards developing technology to bring the cost of renewable energy down, then great. But that's not what will happen. It will be used to penalize people who use energy and to give huge grants to megacorps that then use our hard-earned dollars to develop technology that only benefits themselves. And that's not cool.

Re:Ever dropping cost of energy? (1)

maxume (22995) | more than 4 years ago | (#32343822)

Also, your timescales are off, South Carolina Electric & Gas doesn't even have a license yet and they figure they can have a 1.1 GW reactor online by 2016:

http://en.wikipedia.org/wiki/Virgil_C._Summer_Nuclear_Generating_Station [wikipedia.org]

(Though they have completed much of the engineering, which probably speeds things up, I'm not sure how the licensing process interacts with the engineering).

Re:Ever dropping cost of energy? (1)

sznupi (719324) | more than 4 years ago | (#32344416)

About time? It's pretty hard to be more wasteful than the US [wikipedia.org] (X axis), which per capita claims around 3 times more resources compared to the most lean places with similar standard of living.

Re:Slashdotter's rejoice! (3, Informative)

penguinchris (1020961) | more than 4 years ago | (#32343572)

Just a small comment, I don't think you can group Thailand with Iran when it comes to restricting/monitoring communications. They do block websites (trivial to get around if you want to) but they don't block dissent against the government in any way, and I'm guessing they monitor it less than the NSA monitors US citizens.

And that's beside the fact that you can get pre-paid mobile phones for the equivalent of $10 in cash with very cheap add-on minutes (also pay for those in cash) which for all practical purposes are untraceable, because if you're paranoid you can switch them around or whatever.

I'm defending Thailand because the foreign press has distorted what happened there recently quite a bit. It's nothing like Iran. People are free to protest the government, despite what it may seem after the violence recently in Bangkok.

Re:Slashdotter's rejoice! (1)

mjwx (966435) | more than 4 years ago | (#32344674)

Well okay but say you are in Iran or Thailand and you want organize an action against your government. Secure mobile communications would be pretty handy for that.

Thailand is a bad example, the redshirts plot against the government by protesting in the streets as well as burning government buildings and large shopping malls. Besides, I'm not sure if you know too much about the actual problem causers (the western media has been horrible at reporting it, even the Beeb has been little better then Fox News) like Thaksin already have and are using encrypted sat phones to talk to the red commanders/ring leaders who also have encrypted sat phones. My point is that if you're at the stage of being an semi organised resistance group with the money and logistics to equip members with smartphones then you already have access to more secure communications that aren't reliant on the infrastructure of the organisation you are trying to resist.

Iran would be a better example, but with the youth (don't know if the organisation has a name, but their colour is green, why must every revolutionary have a colour and I'm still waiting for a movement to pick fuchsia) plotting by using facebook, twitter and SMS yet the Iranian government is powerless against it despite controlling all communications.

In the end, revolutionaries will just meet in person and use simple ciphers and code phrases over unencrypted lines that are impervious to the best of decryption technologies.

Re:Slashdotter's rejoice! (1)

LingNoi (1066278) | more than 4 years ago | (#32345300)

Except it wouldn't because they shutdown mobile base stations, telephone lines, electricity and water in the protest areas in Thailand.

Re:Slashdotter's rejoice! (0)

Anonymous Coward | more than 4 years ago | (#32342774)

The NWA?

What I'd like to see (a PGP/gpg variant). (3, Interesting)

Anonymous Coward | more than 4 years ago | (#32342744)

What I would like to see is a PGP/gpg utility for Android. The closest I can get to this is cross-compiling a statically linked gpg binary for ARM and running that in a terminal.

Re:What I'd like to see (a PGP/gpg variant). (0)

Anonymous Coward | more than 4 years ago | (#32342970)

How much you willing to pay me?

Seriously, though...I think it's really a matter of finding someone who is willing to a) work on it, and b) put the effort into making it work well....which is not exactly easy on a small platform.

Personally, I'd really like to take a crack at this one...if I can fit it into the the million other things I have to do.

Re:What I'd like to see (a PGP/gpg variant). (1)

Sir_Lewk (967686) | more than 4 years ago | (#32344292)

put the effort into making it work well....which is not exactly easy on a small platform.

Huh? I used to use PGP/GPG on my old PII all the time, damned near any cellphone you can get these days are several times as powerful. It's just a bunch of very common crypto primitives, I'm sure there already exist plenty of efficient implementations for ARM.

Actually, Android is more or less a linux machine isn't it? Why couldn't you just rebuild GNU GPG for it and hack together some quick and dirty interface? Has nobody really done this yet?

Re:What I'd like to see (a PGP/gpg variant). (1)

cool_arrow (881921) | more than 4 years ago | (#32343350)

From what I understand implementing encrytion correctly is tricky business. This looks good: http://www.cs.auckland.ac.nz/~pgut001/cryptlib/ [auckland.ac.nz]

We'll know it's pretty good when it's outlawed (4, Interesting)

bzzfzz (1542813) | more than 4 years ago | (#32342818)

We'll know it's at least OK if the FBI and CIA start lobbying congress to outlaw it.

We'll know it's pretty good if the NSA starts lobbying congress to outlaw it.

The government is absolutely convinced that law enforcement will come to a screeching halt if people can communicate casually without being subject to eavesdropping. This despite the courts' general distaste for such evidence (people rarely speak candidly in phone conversations regarding criminal enterprises and therefore establishing context and the meaning of codewords becomes a prosecutorial hurdle), and the paucity of successful prosecutions built primarily on the strength of intercepts.

So we've had cryptography treated as a munition. And clipper. And CALEA.

Of course, if the keys are on a server somewhere they can always just subpoena them.

Re:We'll know it's pretty good when it's outlawed (3, Informative)

e9th (652576) | more than 4 years ago | (#32342950)

As far as I know, the Justice Department's position hasn't changed much since this [cybercrime.gov] 1998 policy FAQ.

Anyone have any later statements from them?

Re:We'll know it's pretty good when it's outlawed (1)

unix1 (1667411) | more than 4 years ago | (#32343188)

Wow, even they couldn't avoid the car analogy [cybercrime.gov] .

Re:We'll know it's pretty good when it's outlawed (0)

Anonymous Coward | more than 4 years ago | (#32343028)

It's end-to-end encryption with forward-secure protocols, so the keys aren't on a server *and* they're dropped from the devices after communication is complete.

Re:We'll know it's pretty good when it's outlawed (1)

DragonWriter (970822) | more than 4 years ago | (#32343268)

The government is absolutely convinced that law enforcement will come to a screeching halt if people can communicate casually without being subject to eavesdropping.

Some people in government are, some people in government pretend to be to sell policies they wish to abuse for purposes other than the overt purpose, and some people in government don't even pretend to be. "The government" -- even referring to any single, particular government -- isn't a hivemind with a uniform point of view or agenda.

Re:We'll know it's pretty good when it's outlawed (1)

spinkham (56603) | more than 4 years ago | (#32343608)

This is really not a problem. If the Gov't really wants access to your calls, they bug your room, bug your computer microphone, install custom phone firmware with a backdoor, etc. Usually all the Gov't cares about is the metadata: Who called who when. The conversations themselves are gravy.

Encryption stops casual snooping, and I highly recommend it's use, even against gov't level attacks. However, if the Gov't really is interested in you specifically, you're hosed no matter what countermeasures you use.

Re:We'll know it's pretty good when it's outlawed (1)

failedlogic (627314) | more than 4 years ago | (#32344256)

What's wrong with you? Its not about the FBI, CIA, NSA, courts, supoena, eavesdropping, munition or any of that. Look at this list you made up, I think you're paranoid.

Sheesh. I thought this was already obvious.

Its all to protect the good children and to stop the terrorist children.

Moxie Marlinspike (2, Funny)

Obama (1458545) | more than 4 years ago | (#32342854)

Moxie Marlinspike, there's that guy again! Wish I had a recognizable name like him.

the solution is Klingon (3, Funny)

MoFoQ (584566) | more than 4 years ago | (#32342896)

it just reminds me that I really need to start speaking in Klingon more frequently.

Re:the solution is Klingon (3, Funny)

biryokumaru (822262) | more than 4 years ago | (#32343006)

I've been using Romulan for years and no one's been able to crack it yet.

Jolan tru!

Re:the solution is Klingon (1)

by (1706743) (1706744) | more than 4 years ago | (#32343212)

Well, unless someone's using an iPhone [wikipedia.org] ...

...In 2009, publisher Simon & Schuster introduced an iPhone application version of The Klingon Dictionary...

Re:the solution is Klingon (1)

MoFoQ (584566) | more than 4 years ago | (#32344164)

then perhaps Go'auld might be better.

Re:the solution is Klingon (1)

jo_ham (604554) | more than 4 years ago | (#32343226)

I use Vorlon exclusively.

This does mean I have a tendency to speak in short, cryptic messages, and when people ask me whet time I'll be at a meeting I always reply "I have always been here".

Re:the solution is Klingon (2, Informative)

Bugamn (1769722) | more than 4 years ago | (#32343324)

I use Vogon poetry. They may even eavesdrop, but they will soon wish they hadn't.

just installed (1)

nimbius (983462) | more than 4 years ago | (#32343216)

the beta...be advised its "US Only" at this time apparently.

"Encrypted call" is misleading (4, Insightful)

Coward Anonymous (110649) | more than 4 years ago | (#32343284)

It's a VOIP app that encrypts the audio. Except the fact that the protocol itself is documented this is not materially different from skype which is also encrypted and has governments apparently scrambling to crack.
A truly revolutionary app would encrypt the phone's mobile call audio.

Re:"Encrypted call" is misleading (0)

Anonymous Coward | more than 4 years ago | (#32343452)

A truly revolutionary app would encrypt the phone's mobile call audio.

iphone/android still don't have this? (and people were getting so upset that even openmoko couldn't manage it)

IIRC...

GSM encoders for voice calls (which have to be certified closed-source to be used) don't allow encryption other than GSM's own.

GSM data calls would let you have encrypted calls, but the cell carriers drop those packets so far down in priority that you don't get a reliable connection. Oh, and they charge you a lot more for the same volume of data if it's marked as 'data'.

Encoding encrypted data as audio to send over a GSM voice call was suggested, but good luck getting anything back once GSM has compressed it with audio assumptions.

Re:"Encrypted call" is misleading (3, Informative)

Anonymous Coward | more than 4 years ago | (#32343660)

You said:

Except the fact that the protocol itself is documented this is not materially different from skype which is also encrypted and has governments apparently scrambling to crack.
A truly revolutionary app would encrypt the phone's mobile call audio.

TFA says:

Whisper Systems' apps aren't the first to bring encrypted VoIP to smartphones. But apps like Skype and Vonage don't publish their source code, leaving the rigor of their security largely a matter of speculation. Marlinspike argues that because those apps interface with the traditional telephone network, they may also be subject to the Communications Assistance for Law Enforcement Act, (CALEA) which requires companies to build backdoors into their technologies for law enforcement wiretaps.

Re:"Encrypted call" is misleading (0)

Anonymous Coward | more than 4 years ago | (#32343688)

skype which is also encrypted and has governments apparently scrambling to crack

Except for those privileged users in the Peoples Republic of Bavaria http://yro.slashdot.org/article.pl?sid=08/01/26/1339249 [slashdot.org] and China http://www.informationweek.com/news/telecom/voip/showArticle.jhtml?articleID=210605439 [informationweek.com] .

Re:"Encrypted call" is misleading (2, Informative)

Anonymous Coward | more than 4 years ago | (#32344266)

For the same reason you don't see apps that record calls (google voice does somewhat, but is not doing so in the phone) you'll never see an app which encrypts the phone call. It's just not possible to route the audio through the processor of these phones. Therefore it truly _would_ revolutionary --since it's impossible by design.

Re:"Encrypted call" is misleading (0)

Anonymous Coward | more than 4 years ago | (#32344998)

skype is already decrypted and broken through fring. israel has been tapping skype thru fring for how many years now ?

Re:"Encrypted call" is misleading (2, Informative)

Loualbano2 (98133) | more than 4 years ago | (#32345178)

A product like that came out a long time ago.

http://www.pgpi.org/products/pgpfone/ [pgpi.org]

I don't think it's supported much anymore. It was a cool concept that just didn't seem to go anywhere.

ft

Re:"Encrypted call" is misleading (1)

rsborg (111459) | more than 4 years ago | (#32345200)

http://www.pgpi.org/products/pgpfone/
I don't think it's supported much anymore. It was a cool concept that just didn't seem to go anywhere.

Seems it might have been a bit ahead of it's time, as the majority of the work was done prior to the revelation that the US Government was massively spying on it's citizens.

Re:"Encrypted call" is misleading (1)

quercus.aeternam (1174283) | more than 4 years ago | (#32345240)

Trying to re-assemble information after being passed through a lossy pipe is hard. I wouldn't want to tackle it - it has too many variables, and it would be too easy to detect and shut down.

Successfully solving these problems would be revolutionary - but also advanced enough that it could be considered magical.

How old is Skype? (1)

MikePlacid (512819) | more than 4 years ago | (#32343298)

Skype provides encrypted calls and SMS for how many years now? Oh, this is from Forbes...

Re:How old is Skype? (1)

Ungrounded Lightning (62228) | more than 4 years ago | (#32343612)

Skype provides encrypted calls and SMS for how many years now?

But it's closed source and runs through an infrastructure that is subject to government pressure for disclosure.

how does this work? (1)

cool_arrow (881921) | more than 4 years ago | (#32343596)

There doesn't seem to be too many details on their site yet. I am wondering if both parties establish a connection with the Whisper Systems server and make the connection that way? Is this end to end encryption? Is the key exchange end to end or with their server? I didn't think that a mobile phone could receive in incoming data connection without a special account.

Re:how does this work? (0)

Anonymous Coward | more than 4 years ago | (#32344138)

It's end to end encryption. They use SMS to get a signal to the responder phone so that both phones can connect out to each-other.

Re:how does this work? (1)

sznupi (719324) | more than 4 years ago | (#32344604)

http://en.wikipedia.org/wiki/ZRTP [wikipedia.org]
http://en.wikipedia.org/wiki/Zfone [wikipedia.org]

Not the first implementation for mobile phones, too.

Re:how does this work? (1)

cool_arrow (881921) | more than 4 years ago | (#32344918)

I understand how ZRTP can work when a computer is calling another computer ( two things with ip addresses). What I don't understand is how you get two mobile phones to do the same thing without a special account with the network operator. It seems all those supplying encrypted mobile phones these days require you to have a CSD (circuit switched data or similar) account for your phone (it's the incoming data call that is the problem). My guess is that the purpose of the sms message is to tell the guy you want to call to initiate a data call to the "whisper" server. You are then patched together via their server for key exchange and subsequent communication. Just guessing.

Re:how does this work? (1)

sznupi (719324) | more than 4 years ago | (#32345062)

Well, the simplest is just to...make a call. GSM has a data channel; this thing [privatewave.com] does just that, for example.

Plus sms messages might just as well exchange the IP of already established connections, right?

Re:how does this work? (1)

cool_arrow (881921) | more than 4 years ago | (#32345352)

I understand you can do data with GSM. "privateGSM" is for making mobile to mobile data calls and for that you need a CSD account or equivalent (read the link you provided). This is not the same thing as what is being described in the article here. CSD is like using a modem to establish a connection and it is relatively expensive. You can use your GSM mobile to make a data connection to a server on the web but it seems that if you want to make a data call directly to another mobile you have to have a special account.

Hmmmmm..... triple chocolate (1)

Atari400 (1174925) | more than 4 years ago | (#32343802)

1) Encryption = hidden writing 2) Whisper = Popular UK chocolate bar, now withdrawn 3) Whisper Systems (anag) Sweetish Mrs Spy

cheap air jordan shoes (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32344002)

Here comes the terror (0, Offtopic)

joelsanda (619660) | more than 4 years ago | (#32344218)

It won't be long until people try to light shoes on fire on cross-Atlantic flights or attempt something on a plane landing in, oh, say, Detroit or something. All because people have something to hide ...

So, finally an alternative to Blackberry? (0)

Anonymous Coward | more than 4 years ago | (#32344258)

Secure communications seems to be the often cited reason for the popularity of Blackberrys among corporates and politicians. If Andriod is able to pull this off, Blackberry's image of a cult device are numbered.

probably not secure (1)

wkk2 (808881) | more than 4 years ago | (#32344280)

It won't be secure unless the hardware, software and distribution are controlled, tracked and audited. Prove there isn't a hidden API in the RF modem that will dump RAM and the keys on command.

Why Not Use TOR As Well? (2, Interesting)

no1home (1271260) | more than 4 years ago | (#32344424)

Since it's going out as a VOIP call, why not route it via TOR? Yes, it would likely slow down the talking a bit (great, I could finally take notes while still keeping up with the conversation), but it would make it that much more difficult to track down the caller and/or recipient. Might also work for the SMS if it's using an Internet-based route instead of the actual cell system SMS.

Re:Why Not Use TOR As Well? (1)

physicsphairy (720718) | more than 4 years ago | (#32345232)

The encryption for streaming voice data is not exactly the best, and Tor means possible third party interception. If someone does decrypt the conversation then just from your tonal range and dialect you are communicating significant information about your identity you wouldn't have to over email (you may even be providing a unique fingerprint). Phone numbers are much more identifying than IP addresses--cellphones can be easily triangulated from the data sent to the carrier, and have to be bought and activated somewhere; a computer can connect to any guy's unsecured wi-fi and fake all the data. I can't really think of the instance in which sending phone calls over Tor would be preferable to some other tech solution.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...