Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Encrypting Phone Storage and Transmission? (2011 Version)

timothy posted more than 3 years ago | from the enough-line-breaks-are-indistinguishable-from-encryption dept.

Encryption 198

An anonymous reader writes "Soon I'll be moving to one of the hot, culturally restrictive countries which has recently been in the news ... and which monitors and filters web traffic. ISPs and cellular providers are both owned by the government. Needless to say, I'm concerned about privacy and am even posting to my fellow Slashdotters as an anonymous coward. Which smart phones are the best for a) encrypted storage, and b) encrypted transmission? I'm not worried about encrypting SMSs or traditional voice traffic, but I would like all IP traffic as secure as possible. Setting up a server in my less restrictive home country is an option. What storage encryption and transmission encryption would you recommend for that situation? I'm willing to buy yet another device, if necessary. (No, I won't get a SatPhone.) I currently have a Nokia N900 running Maemo5 and another device running Symbian S60v3. I was hoping to have a secure OS like BackTrack running on the N900, but it looks like the software was never totally ported for the device."

cancel ×

198 comments

First post... (-1)

Anonymous Coward | more than 3 years ago | (#35237538)

I've been waiting years for this.

Re:First post... (1)

grei9715 (688827) | more than 3 years ago | (#35237582)

Ah, but was your first post made securely?

Traditional VPN? (4, Informative)

RyuuzakiTetsuya (195424) | more than 3 years ago | (#35237570)

Why not a traditional VPN with an Android or iOS device? Symbian should also be able to support VPN connections as well.

Re:Traditional VPN? (3, Informative)

b0bby (201198) | more than 3 years ago | (#35237670)

That's my thought too. There are lots of reasonably priced VPN services out there, or you could run your own. But for ~$10 a month or less, why bother? I've used the $6 "Premium" service from hideipvpn.com & it was fine, I'm sure that there are others that are just as good though.

Re:Traditional VPN? (1)

LifesABeach (234436) | more than 3 years ago | (#35238832)

phones can be jammed, electricity can be turned off. Given the 5th world pide of Islam's Leaders, use Semaphore [wikipedia.org] , in some tested cases, it's better than AT&T's service.

CQ? CQ? (1)

Aqualung812 (959532) | more than 3 years ago | (#35239138)

While I think the parent is being funny, Ham Radio would be something that couldn't be stopped as long as you have little power.

Re:Traditional VPN? (2)

morcego (260031) | more than 3 years ago | (#35237768)

I have OpenVPN running nicely on my Android 2.1 phone. Had to root it, tho.

And since you are rooting it, you shoud be able to partiton you sdcard and setup some kind of encrypted filesystem. I havent tried it yet, but might just to see if is possible.

Also, in a country like that, you might try getting a phone without a camera... just in case.

Re:Traditional VPN? (0)

Anonymous Coward | more than 3 years ago | (#35238094)

You'll probably either have to recompile the kernel, or compile and install the encryption & fs modules. Fitting on 1GB ROM means sacrificing kernel options desktop distros do not.

...but at least it's possible with enough effort, if you're a geek. Which is what I like most about Android.

Though it's not like 90% of /. userbase would or could do it on their own without a step-by-step tutorial.

Re:Traditional VPN? (5, Insightful)

MoonBuggy (611105) | more than 3 years ago | (#35238022)

I thought the same, but there are a few important supplementary questions (to which I don't know the answers):

  • By consistently streaming encrypted information out of the country, will you just make yourself a target for more invasive surveillance measures (and perhaps some rubber hose cryptanalysis)?
  • When the ISP themselves are your adversary, you're at an immediate security disadvantage. How far can they go towards cracking your connection when they can monitor everything you transmit, and cross reference it with real-world info about you?
  • If your connection is compromised, how much extra risk are you at? Is the sense of security leading you to transmit things that you wouldn't otherwise have committed to writing, and might they cause you trouble?
  • Are these encryption measures legal where you're going? Even if so, are the state the type who might see it as a reason throw you in jail on vague espionage charges?

I understand wanting to maintain your privacy as a matter of principal, but ultimately you're the one choosing to go to their country. You don't have to like it, but you do have to live by their rules. From my own experience travelling in some of the more repressive parts of the world, I would say that there's generally a certain amount of leeway given to foreigners that isn't afforded to locals, but you're still safer not giving them an excuse to pay you any extra attention. What I can't tell you (especially without knowing which country you're going to) is what they will or will not consider to be an excuse; honestly I doubt that even a police chief in the country could give you a definitive answer in a lot of places - the strictness of the definition tends to be inversely proportional to the wealth and influence wielded by the person that it is being applied to.

Just bear in mind that while it may be discomforting to know they're reading your emails home, they probably don't care what you're saying. They might well start caring about the fact that they can't see what you're saying.

Re:Traditional VPN? (1)

postbigbang (761081) | more than 3 years ago | (#35238568)

Using a VPN doesn't automatically finger you. Keyword filters-- the spoken kind of keywords-- do. If you do data, reboot frequently to change your IP address. Or, if you think about it, change your MAC and IP address by incrementing by 1 or 2 (etc) your address; you're unlikely to bump into a collision. Smart guys figure out address domains.

Otherwise, figure you're being listened to all the time. GSM is as easy to crack as an egg these days. Data ought to be encrypted as mentioned above. Don't save files with names like 'terroristplantonukethebigdam'. Be sane. Be a bit extra paranoid. Have fun.

Re:Traditional VPN? (3, Insightful)

gandhi_2 (1108023) | more than 3 years ago | (#35238162)

Could a constant stream of encrypted data going thru his carrier and ISP bring government attention to him or her?

Will this hot, culturally restrictive government just throw their hands up and say, "well... he's got a VPN... not much we can do"?

Re:Traditional VPN? (1)

lakeland (218447) | more than 3 years ago | (#35238274)

Right, most phones can be set to send all IP traffic over the VPN. That'll mean someone has to break your VPN to get at the traffic which is hard enough you may as well consider it impossible. Also, it has the advantage of being very easy to set up.

Re:Traditional VPN? (0)

Anonymous Coward | more than 3 years ago | (#35238378)

If you are going to Iran, I can tell you that OpenVPN does NOT work in any way. I've tried UDP, TCP, random ports, even static keys (to avoid TLS detection). I've looked at the traffic with tcpdump and it seemed they could detect it's OpenVPN after the connection was established (don't really recall the details) and simply drop the connection and block the destination IP:port for a while afterwards. SSH, PPTP and Tor were working back then. I wouldn't rely on it though. Also, expect very bad connections to outside (sometimes incredibly bad). Occasionally the connection was good enough to use Skype over OpenVPN over SSH :D.

If you are going to KSA, you might be in luck: OpenVPN, SSH, Tor worked. Might still be working, though with the recent developments in the area they might have started to filter more aggressively.

In any case, I recommend avoiding the use of cryptography too much because it will almost certainly turn on some alarms. And in some places cryptography might actually be against the law. I wish you good luck!

Encrypted storage on Android? (1)

Dast (10275) | more than 3 years ago | (#35238816)

And what would one use for the first of the two requirements, encrypted storage, on an Android platform? I'd love to hear of a solution.

Re:Traditional VPN? (1)

Anonymous Coward | more than 3 years ago | (#35239262)

Different A/C from op...

But...do you use the same android I use? Off the shelf, and even on my jailbroken G2. Android doesn't support full device encryption. Maybe venders have a model out there that does...

Even the remote wipe on the ones that claim to support exchange... is...a lie.

A freaking blackberry or iphone is more secure out of the box!

Let's see... no options to remotely wipe it without third party apps. No ability to have any sort of 'wipe' behavior happen on bad password input. There are 'wiper' apps--so I can send my phone a text message and have it zero itself out. That's slightly better than nothing at all.

No ability to encrypt all local storage requiring a password to make the previous option *actually* useful. So any remotely competent forensics team can power the thing down or throw it into a foiled bag, take it out inside and remotely image it. Probably over USB by default, although I haven't tried it.

No, instead they have a crappy app store where I can purchase an app that will send encrypted SMS messages to encrypted people, and store it in an encrypted file separate from my regular messages.

But the fucking thing still saves my google password for anybody who cares to enter a pin along with a bunch of email.

And VPN...I bet out of the box the damned VPN password is unencrypted. If it doesn't use a password, it probably caches the password to the certificate forever. Just great..now anyone who gets their hands on it can impersonate me.

Look, Android is convenient...but if I ran a company and set the security policy, they'd be added to a document as a firing offense to use in their current state.

Watch out (3, Interesting)

Anonymous Coward | more than 3 years ago | (#35237584)

If you are going to Saudi...co-workers couldn't wait to get the hell out of there. VERY SCARY PLACE. Public beheadings on Fridays.

Re:Watch out (2, Funny)

Anonymous Coward | more than 3 years ago | (#35239094)

But the Saudi's are an American ally? How could they be a brutal, repressive dictatorship that exports terror to the world if they're an American ally?

I heard from Glenn Beck that Kenyan Muslim Communists like Obama want to overthrow our allies in the middle east to spread the Muslim Caliphate across the world. Are you a Kenyan Muslim Communist?

Start all your conversations with .... (1)

Anonymous Coward | more than 3 years ago | (#35237594)

Start all your conversations with "Death to America! Long live the revolution!" And if you're in a Muslim country, tack on "Allah be with us all!" They won't even bother to listen to the rest of your conversation.

Your welcome! No problem!

Re:Start all your conversations with .... (0)

Anonymous Coward | more than 3 years ago | (#35237956)

Great plan. Instead of an old fashion castration for watching online porn, you've earned yourself a lifetime sentece in Gitmo complete with daily torture.

Re:Start all your conversations with .... (1)

cheater512 (783349) | more than 3 years ago | (#35238528)

Or alternatively if the oppressive country is the US, just start it with "God bless America!"

Re:Start all your conversations with .... (0)

Anonymous Coward | more than 3 years ago | (#35239246)

haha blessed with what? i can't wait to get the hell out of here.

Buy the phone in that country (4, Interesting)

ogfomk (677034) | more than 3 years ago | (#35237600)

You will just need to buy that phone in the country you are going in. Otherwise you may loose it through customs unless you are a diplomat. Best to get something boring and assume that everything you send is readable by anyone. If you keep something that is valuable there is nothing that customs would like better than to have your device.

A little different (1)

BigJClark (1226554) | more than 3 years ago | (#35237616)


This isn't the exact solution, but you sould be able to tunnel a skype connection over the Tor network, for a short period of time.

Depends on the length of communication, which isn't stating in the question.

Re:A little different (1)

Lehk228 (705449) | more than 3 years ago | (#35238264)

but if you are carrying around a fiber optic line to handle that, why not just use it directly?

boncee (3, Interesting)

Lord Ender (156273) | more than 3 years ago | (#35237642)

Bouncee [bouncee.net] is a VPN service designed to protect the privacy of international travelers. It encrypts all your network traffic and routes it through a server in the United States.

It's also really, really cheap. This sounds like what he's looking for.

Re:boncee (1)

icebike (68054) | more than 3 years ago | (#35237734)

Bouncee [bouncee.net] is a VPN service designed to protect the privacy of international travelers. It encrypts all your network traffic and routes it through a server in the United States.

It's also really, really cheap. This sounds like what he's looking for.

Do they have a mobile version?

Re:boncee (1)

Lord Ender (156273) | more than 3 years ago | (#35237828)

Right now PC is supported, but mobile support is planned.

Re:boncee (2)

zonky (1153039) | more than 3 years ago | (#35238520)

I'm not sure why everyone always trusts the other ends of these cheap vpn services so readily. If you wanted to set up a credential fishing operations - why wouldn't you just set one of these up and watch the exit gateway?

Re:boncee (2)

Lord Ender (156273) | more than 3 years ago | (#35238956)

If you wanted credentials you would host a free service. A commercial service would have far fewer users and a money trail to the person who runs it.

mobile VPN (0)

Anonymous Coward | more than 3 years ago | (#35237652)

I think to an android device with OpenVPN on it. It provides you with a very good encrypted VPN. Look on http://openvpn.net

A couple of things. (1)

natehoy (1608657) | more than 3 years ago | (#35237660)

(1) As far as encrypting the data on the phone itself, I'd recommend Blackberry if you can swing it. It's the only phone I know of that has the capability of actually encrypting the filesystem, though maybe that's changed.

(2) Having said that, any data you send/receive is going to go through Blackberry's servers and your privacy/protection depends on whether RIM is playing ball with that country or not, in addition to any snooping the local cellco might be doing. So you'd better make sure you are accessing things over SSL, or you might consider an VPN-tunneled-VNC connection to a server in a friendlier country. But again that's encrypted data and your cellco will know it's out there.

What's your risk doing something you might get caught where the government knows what you are doing, as opposed to getting caught doing something where the government doesn't know what you are doing?

Is the move itself absolutely necessary?

Re:A couple of things. (0)

Anonymous Coward | more than 3 years ago | (#35237870)

Note that RIM claims FIPS140-2 Level 2 compliance only. As a result, western governments allow only RESTRICTED level data to be used on BlackBerry devices. Which is basically information equivalent to the number of toilet rolls used by a government department. Wait until FIPS 140-2 Level 3 compliance comes before thinking about putting or accessing sensitive data on a mobile phone - especially in dangerous parts of the world. Level 3 isn't so far off - NFC/mobile payments technology is driving the charge, and microSD solutions are already on the market (see GO-TRUST). Also, beware malware - encrypted data is great until it is decrypted and some nasty in-memory utility starts sniffing....

Re:A couple of things. (0)

Anonymous Coward | more than 3 years ago | (#35237912)

"data you send/receive is going to go through Blackberry's servers" that's not true, happens only if you subscribe to Blackberry service. This can be avoided by having an unlocked device with a common SIM card and run WIFI. If you keep all the files off the media card and the password attempts are exceeded, the device wipes itself.
Not sure what kind of older BB devices those features have.

With encryption, safe to some extent - true and in US you can supposedly take the 5th for not giving out your passwords to access. I am sure there are ways to get a password out of you - in every country if "country feels endangered".

Re:A couple of things. (1)

Anonymous Coward | more than 3 years ago | (#35239284)

Blackberry has handed over its encryption to various governments around the world from pressure. they aren't safe anymore. The UAE and India deals top the list in my memory.

Solution. (5, Interesting)

Zurk (37028) | more than 3 years ago | (#35237668)

I have the same problem. I am not in a restrictive country, however my phone lines are tapped on a regular basis since i deal with defendants. its not paranoia -- they really do tap phones of attorneys to get around atty/client and ive seen the records more than once. I use an SSH connection to a tomatousb router (ASUS RT-N16) and forward ports to my N810. you can do the same with your N900. this allows me to do VOIP directly and also share the same connection locally by letting my N810 serve as a local hotspot. All traffic is encrypted with SSH until it reaches my home which is on a dynamic ip anyway. This has worked against local and fed agencies but may not work against NSA/big brother type agencies or against foreign government state departments. You need a fast upload connection (my 25/2 Mbps cable connection works fine). For anything more than the usual calls i meet people in person at the office. meeting in person is covered by priv and works well.

Re:Solution. (1)

Bromskloss (750445) | more than 3 years ago | (#35238246)

they really do tap phones of attorneys to get around atty/client and ive seen the records more than once.

I don't think I understand the situation here. Who are "they"? Are you the attorney? Does "atty/client" refer to some set of laws that restrict whom "they" may bug and not?

Re:Solution. (0)

Anonymous Coward | more than 3 years ago | (#35238346)

they are one of :
1. Local LEO. this is your local police department.
2. FBI for more serious cases.
atty client refers to : http://en.wikipedia.org/wiki/Attorney-client_privilege

Re:Solution. (0)

Anonymous Coward | more than 3 years ago | (#35238488)

http://en.wikipedia.org/wiki/Attorney-client_privilege

Re:Solution. (4, Insightful)

BluBrick (1924) | more than 3 years ago | (#35238512)

I am not in a restrictive country, however my phone lines are tapped on a regular basis since i deal with defendants.

Y'know, if the second part of that statement really is true, you might just want to re-think the first.

Re:Solution. (1)

Anonymous Coward | more than 3 years ago | (#35238770)

they really do tap phones of attorneys to get around atty/client and ive seen the records more than once.

I call bullshit - either you've fallen victim to your own paranoia (stop watching Glenn Beck) or you're not doing your FUCKING JOB. If you've got evidence of this sort of seriously illegal wiretapping, go to court with it...

Re:Solution. (1)

calmofthestorm (1344385) | more than 3 years ago | (#35239222)

I don't follow; it's legal for them to tap your phone but not put a bug on your person/office and record face-to-face conversations?

Moxie Marlinspike and Whisper Systems (1)

Fnord666 (889225) | more than 3 years ago | (#35237674)

Consider giving Whisper Systems [whispersys.com] "TextSecure" and "RedPhone" applications a try. I have had good luck with them. I don't know if they have been ported to S60 yet.

Re:Moxie Marlinspike and Whisper Systems (1)

godel_56 (1287256) | more than 3 years ago | (#35238644)

Consider giving Whisper Systems [whispersys.com] "TextSecure" and "RedPhone" applications a try. I have had good luck with them. I don't know if they have been ported to S60 yet.

From Whisper Systems FAQ:

"10. Does RedPhone support international numbers? For the initial Beta, RedPhone is unfortunately US-only. We will be adding international calling support in the near future. "

consider steganography over cryptology (5, Insightful)

smoothnorman (1670542) | more than 3 years ago | (#35237676)

I'd be most worried about the: "he's using techniques which we can't crack. so he's really up to no good, and we must therefore have him 'pay us a visit'" (cf the usual: http://xkcd.com/538/ [xkcd.com] ). So perhaps you should consider communication that doesn't trivially look like communication that's subversive to the powers-that-are? Just something to mull over; because you see, the birds do fly west on a sunny day.

Re:consider steganography over cryptology (0)

Anonymous Coward | more than 3 years ago | (#35238114)

-.- I see what you did there.

Re:consider steganography over cryptology (4, Interesting)

izomiac (815208) | more than 3 years ago | (#35238340)

I was just about to pop in and say that. Plausible deniability is the only sane choice for this environment. It basically doesn't matter to you if your encryption is never broken if they just take that as an admission of guilt.

IMHO, the way to go would be an android phone with an extra /data/ partition that's encrypted, and swap them out using the terminal. Be sure to use a strong screen lock (i.e. a long password or very long series of numbers, no patterns). That way, you have a benign /data for investigators, you get *everything* (i.e. thumbnails, logs, etc.) encrypted, and if they question you about the partition you can feign ignorance and claim that it must be a corrupted flash chip. All that said, I'm not sure how technically feasible this is, but it seems straight-forward enough with root access and some familiarity with the Linux terminal.

Re:consider steganography over cryptology (0)

Anonymous Coward | more than 3 years ago | (#35238674)

But really long passwords can be harder to remember when they're torturing you for the password

Re:consider steganography over cryptology (3, Interesting)

izomiac (815208) | more than 3 years ago | (#35239024)

Put an easy one on the benign /data partition, and a hard one on the encrypted one. That way, if you're about to be captured, turn off your phone. If you're already captured, tell them it's been buggy lately and to do a battery pull. The point is to force a reboot of the phone, which conceals everything.

What's missing on the N900? (2)

vadim_t (324782) | more than 3 years ago | (#35237680)

It has support for OpenVPN, SSH and tor out of the box. There was one guy in #maemo I think that said he succeeded at implementing full disk encryption, you might want to come there and ask. And if you install kernel-power you'll be able to be use iptables, which should help with making sure only what you want gets in and out.

Now, will encryption help you? What is going to happen to you if you're arrested and suspected of accessing something you shouldn't? I'm thinking that in such a place, if they find you have a heavily encrypted phone they're just not going to let you go if they can't get data off the device, and refusing to tell the password might not be a great idea.

Perhaps you should look more at plausible deniability. Try to set up the phone in a manner that is as un-suspicious as possible, make sure nothing incriminating gets logged on the device, and do all your suspicious activities on some remote server, with some panic system that can remove anything suspicious like tor or ssh without leaving a trace if you get in trouble.

For testing what gets stored, you could try using rsync. Sync the entire phone, do something like loading a website, sync again and see what changed.

Re:What's missing on the N900? (1)

westlake (615356) | more than 3 years ago | (#35238410)

Perhaps you should look more at plausible deniability

"Plausible" is in the eyes of the man holding the cattle prod.

Re:What's missing on the N900? (1)

vadim_t (324782) | more than 3 years ago | (#35238508)

Yes, exactly.

The cattle prod man is certainly not going to be happy if he finds encryption, proxies and so on. So the goal would be to make it look like a normal phone with nothing unusual or interesting on it.

Re:What's missing on the N900? (1)

Anonymous Coward | more than 3 years ago | (#35238632)

"You were right. All it took was showing him the hardware store catalog, and he gave up the passwords. Let's see what exactly he's been hiding on that encrypted partition...
What the hell? 500Gb of furry pictures?"

Secure Imap/Smtp + SSL in browsers (1)

icebike (68054) | more than 3 years ago | (#35237686)

About the best you can do with off the shelf phones is to use an email client that supports secure communications, and visit
web sites using ssl only. (not Slashdot).

You could try some of the secured proxy browsers such as https://www.the-cloak.com/ [the-cloak.com] (self issued certificate - so due diligence required)
as a way to browse sites like Slashdot that don't offer secure connections.

Blackberry + BES Express (4, Informative)

ballwall (629887) | more than 3 years ago | (#35237722)

Set up a BES Express server, and get a BlackBerry. I'm not sure you can find equivalent security on any other platform. The BES Express server (free) offers transparent VPN. The devices themselves are unmatched, security-wise (though you'd be stepping back like 5 years in features). Email might be a problem if you don't want to also run exchange or lotus domino, but you could easily set up an IMAPS server and use that.

Re:Blackberry + BES Express (1)

molo (94384) | more than 3 years ago | (#35237944)

Didn't blackberry roll over for the governments requesting intercept capability last summer?

Either way, I don't trust BB that much.

-molo

Re:Blackberry + BES Express (2)

netsharc (195805) | more than 3 years ago | (#35238694)

If you use your own BEServer, it encrypts traffic between the phone and the server using keys known only to it and the phone (I think during pairing the server tells the phone its public key, the phone generates a key-pair, encrypts its public key using the server's public key, and transmit it to the server -- this is probably a wrong explanation, since the public key is supposed to be public, why should it be encrypted before transportation), so not even RIM can see what the data payload is, if you trust their marketing material... and it seems a lot of government agencies (e.g. the German Security Agency) do.

BlackBerry even does bogus CPU cycles to prevent attackers from seeing which part of the CPU/RAM is warmer than the others and gain information about their en-/decryption from that...

Re:Blackberry + BES Express (0)

Anonymous Coward | more than 3 years ago | (#35238230)

Item:
BlackBerry Enterprise Server Express
that supports up to 75 users on the same
server as Microsoft Exchange or
Windows® Small Business Server
Requirement:
Visit www.microsoft.com to see the requirements for Microsoft Exchange or
Windows® Small Business Server
BES Express server may be "free", but.... you want the other stuff legal - or???

Re:Blackberry + BES Express (1)

no-body (127863) | more than 3 years ago | (#35238384)

and.... you'll need a SQL server too - all that BES environment is Microsoft server based. Not sure how much that is. Once you have the server, you'll need access to mobile network for your device(s) from BES - assume that's not free either. Good luck!

Re:Blackberry + BES Express (1)

ballwall (629887) | more than 3 years ago | (#35238478)

Ack, I didn't realize how crazy the system requirements were for a BES. Perhaps not the best solution. Though if you set up your own VPN and IMAPS server the devices will still be the most secure available (keys never leave the device).

Re:Blackberry + BES Express (1)

no-body (127863) | more than 3 years ago | (#35239064)

In theory, I would think that everything could be easily port to Linux - not sure what is all in use - Apache Tomcat based-something, SQL database & what have you. Do they dare to do it? The mail part - Novell-Groupwise, Lotus should be running on Lx anyway... Big money politics and some phonecalls from big brother may be in play - maybe some support channels as well or just resources - they probably have their hands full with competing - or trying to - current forces. . You don't need a BES for VPN I would think - posted about unlocked Blackberry using WIFI earlier - if it will go through customs... Could use https or ssh too - haven't gotten a free ssh client to work yet..

Re:Blackberry + BES Express (1)

PsychoSlashDot (207849) | more than 3 years ago | (#35238984)

and.... you'll need a SQL server too - all that BES environment is Microsoft server based. Not sure how much that is. Once you have the server, you'll need access to mobile network for your device(s) from BES - assume that's not free either.
Good luck!

It includes an MSSQL Express Instance. Which is free.

So, okay, let's be real. If you're one random paranoid guy looking to encrypt his phone transmission this platform isn't for you. On the other hand if you're like a huge portion of the business world and already have some Windows infrastructure, this is a really, really good solution.

BES Express is free and estimated scalable to 3,000 users on one box assuming a hefty box. One of the things I like about BES the most as an IT guy is the easy of individual phone setup. Tell users: run Enterprise Activation, put in your e-mail address and the following (throwaway) password. That's it. No concern that the device needs to have your certificate installed, or that it's not going to detect what port your IMAP/POP server is running on, or that there's going to be some weird interoperability issue with TLS on or off or SSL on or off, or any of the surmountable but ANNOYING things that go wrong on the Android and Apple (I refuse to call the iPhone's OS by what Apple wants me to, sorry... IOS is a Cisco OS) platforms.

Re:Blackberry + BES Express (1)

no-body (127863) | more than 3 years ago | (#35239266)

Where should the BES be? Inside foreign country or homeland US? In any case BES connects to Blackberry Infrastructure (BB Router) to user's devices (Wireless phone network). If you use BB in foreign country in connections with a BES, you will go through BB Infrastructure which seems to be open to governments in some foreign countries. IMO using a Home-BES Express defeats the purpose. Cost to use BB infrastructure is unknown to me but surely exists on top of Windows Server licensing issue.

I can't help wondering (0)

Anonymous Coward | more than 3 years ago | (#35237756)

How long it will be people start thinking the same about moving to EU

I am not sure you want everything encrypted - it may draw attention to you, where as a limited amount may hidden in https type communications

Two Things to Worry About (0)

Anonymous Coward | more than 3 years ago | (#35237758)

The think you have two different problems being in a restrictive country as you describe. 1) Hide the traffic that you are sending on the Internet and storing on your local system 2) Hiding the fact that you are hiding stuff.

The first part is relatively simple, in my opinion, by using an encrypted proxy or VPN connection to your remote server and using a form of encrypted file storage for local system, such as TrueCrypt. The second problem is much more difficult to deal with. Since you are probably breaking the law using the encryption, hiding the fact they are a hiding stuff may be just as important. As far as I know, there isn't a good solution for this. Your best bet in my opinion is to attempt to disguise the traffic as something else, like using port 80 for the proxy port, or something similar, and leaving a simple, non-threating web page up when you aren't using the proxy server on that port.

Legally? (0)

Anonymous Coward | more than 3 years ago | (#35237782)

Many of these 'more restrictive' places have a ban on encryption of any reasonable strength, you might not be ABLE to use ANY at all. But if you are looking to do it anyway, then ITAR and cryptography regulations be damned - just claim to be from the US, and go full strength encryption... of course, if you end up going to prison for the rest of your natural life being tortured there until you died - then it's not our fault.

Your best bet ... (4, Insightful)

tgd (2822) | more than 3 years ago | (#35237820)

Is not to use those services. Generally speaking, if the country is that restrictive, they probably will not take kindly to a foreigner trying to bypass the restrictions.

A good rule of thumb to travel: obey local laws. If you don't like them, don't go there. As a foreigner, you are in a pretty risky spot to try to take matters into your own hand.

Re:Your best bet ... (2, Insightful)

Anonymous Coward | more than 3 years ago | (#35238208)

Is there a local law against encryption?

The problem isn't the laws, it's the lack of "the rule of law".

You're deluding yourself. (2)

Stoutlimb (143245) | more than 3 years ago | (#35237824)

You're going to a restrictive country with little human rights, and you think that encryption will keep you safe?

I think that XKCD put it best... http://xkcd.com/538/ [xkcd.com] I'm surprised nobody's posted this yet.

Re:You're deluding yourself. (0)

Anonymous Coward | more than 3 years ago | (#35237868)

I think it's more likely that they'd just imprison the guy for using encryption at all. Big Brother doesn't like blind spots.

BackTrack != Secure (3, Informative)

keckbug (1525803) | more than 3 years ago | (#35237886)

I feel compelled to point out that while BackTrack is a great distro, it's primary goal isn't really being secure from outside intruders. It is designed for auditing and testing other systems. I'm sure with a reasonable effort you could lock it down to be relatively secure, but you're looking at the wrong tool for the task. Hell, it runs everything as root by default.

Re:BackTrack != Secure (0)

Anonymous Coward | more than 3 years ago | (#35238108)

Mod Parent truth..

There's quite a number of nasty payloads sitting around in backtrack. Not something you'd want if you're looking for security.

Re:BackTrack != Secure (0)

Anonymous Coward | more than 3 years ago | (#35239326)

I think he wants SELinux or something like that not BackTrack.

Be realistic here (1)

AdmiralXyz (1378985) | more than 3 years ago | (#35237916)

If you're not a high-priority target or planning on creating civil unrest, than this restrictive government doesn't care about you. If you are, then encryption isn't going to save you. They'll either pull off some side-channel attack, like a rootkit on your phone that no amount of encryption is going to subvert, or just throw you in jail for using encryption at all.

I'm all for security, but a lot of Slashdotters really need a sense of perspective.

StrongVPN is what you want (0)

Anonymous Coward | more than 3 years ago | (#35237932)

Get StrongVPN [strongvpn.com] . They have screencasts for how to set it up for your Droid, iPhone, Mac, Linux, or PC. Basically, you configure your device to forward all internet traffic through the VPN server. I use it so I can access US content (Hulu, Netflix, etc) since I live in another country right now. It's always funny to get radio ads for the Miami market while listening to Pandora.

You can't beat $55 a year!

Check whether this is legal in your police state (1)

Bozovision (107228) | more than 3 years ago | (#35237964)

Before doing this you may want to check what the local laws are. Police States do not like privacy. Encryption is not always legal. If you find it's illegal you will probably also want to check what the penalties are.

Most current gen phones will do tunnels... (1)

uncledrax (112438) | more than 3 years ago | (#35237972)

the iPhone can do PPtP tunnels.. I haven't played on my Nokia N800, but I'm positive it can do it as well.. and I can't see any reason why you couldn't do it on an Android. I believe the Crackberry has such a large business-centric user-base, I'd be very sup

Setting up and using an encrypted tunnel is pretty basic and most recent generation phones you'd even want to bother 'surfing' on should be able to do this. So if you're shopping for a new device, I'd just add this to a check-box list of features you want, and focus on other things.

High Quality Encryption (1)

imscarr (246204) | more than 3 years ago | (#35237984)

This page lists many High Quality Encryption devices.
http://www.jproc.ca/crypto/menu.html [jproc.ca]
Look at the KGV series

How about not? (0)

LukeWebber (117950) | more than 3 years ago | (#35238066)

Screw that. Just stay home. Watch pr0n and drink beer.

ssh (1)

markdavis (642305) | more than 3 years ago | (#35238100)

It sounds you are using your phone to provide IP to other devices. You can just use ssh on those "other devices" to port forward anything you like. There is no need for any special phone nor software running on the phone when the IP traffic itself is already encrypted.

Bad Idea (2)

cypherdtraitor (1448243) | more than 3 years ago | (#35238110)

I would recommend just censoring yourself.

The fact of the matter is that if the country is actually using sophisticated techniques to look for spies, they will be actively looking for data traveling in an encrypted form to the united states.

It would be a shame to be captured and interrogated because the tyrants didn't know that "secret message" was about how much you hate your boss.

Why no SatPhone? (0)

Anonymous Coward | more than 3 years ago | (#35238190)

The only really efficient and reliable way to do this is via SatPhone.
Why not?

BackTrace Secure? (1)

ProfessionalCookie (673314) | more than 3 years ago | (#35238234)

Since when is BackTrace a secure OS? I was under the impression that it was a live distribution with a bunch of penetration testing tools with Root as the default user. In fact I believe special configuration is required to even create a non-root user. Hardly an OS built for normal everyday use.

I'm pretty sure the poster doesn't actually know what they need, want or are asking for, but best wishes.

Don't forget (0)

Anonymous Coward | more than 3 years ago | (#35238240)

When you enter the USA, they can search and seize your electronic equipment, encrypted or not.

Re:Don't forget (0)

Anonymous Coward | more than 3 years ago | (#35238850)

But they can't make you give up your password. And luckily they're still afraid of lawsuits, so they have not resorted to shipping non-Arab-looking, non-Muslim Americans to black sites yet. Although they did jail a blonde Icelandic girl with no food nor access to a phone call for 24 hours once [icelandreview.com] . Yeah, in light of the way the Americans treat people (water-boarding, beating them to death), no food for 24 hours is a rather pleasant experience, isn't it.

And apparently their checks are useless, Jacob Appelbaum's (part-time volunteer for WikiLeaks and Tor, supporter of the Egyptian revolution) USB sticks got confiscated, he knew he was going to be harassed, so he dd'ed the Bill of Rights onto the bootsector beforehand, and their useless program couldn't see that...

Posting anonymous, but I think I've signed my name to anti-American-fascism statements before, they'll still probe my ass when I visit that terrorist regime...

n900 is probably the most flexible (4, Informative)

xeno (2667) | more than 3 years ago | (#35238254)

Some resources for the n900:

----- file system encryption--
Truecrypt for true cross-platform encryption on the phone's non-boot volume
  (available by default in the N900's Extras-Testing repository)
A nice script to simplify use of TrueCrypt (no screen icon = non-obvious = good)
  http://forums.internettablettalk.com/showthread.php?p=597269
Also note that for your pc, you can put the x86 tc.exe on the phone's unencrypted boot volume, ...and then mount the phone's encrypted volume from the card, thru 1 usb connection

----- IP encryption
Tor is available as a package and works well, tho with caveats
  http://www.torproject.org/docs/N900.html.en
SSH is also available

----- semi-secure voip
Skype support is inbuilt (tho sometimes suspect w/proprietary encryption & whatnot)
  configure thru Settings>Connectivity>VoIP and IM.
Run your own Asterisk PBX on the n900 with an encrypted config/tunneled
  available in the Extras repository

----- alt boot options
option to boot alt OS hidden on card
  http://wiki.meego.com/ARM/N900/Install/Dual_Boot
  http://neopwn.com/ (sometime soon, one hopes)
option to carry a hidden/alt bootable PC OS in your phone
  http://zitstif.no-ip.org/?p=451

Own the network, own the phone (0)

Anonymous Coward | more than 3 years ago | (#35238510)

If you own the network, you own the phone, plain and simple. Back doors are built into the protocol/network infrastructure. Up until recently, BlackBerry would have been the way to go. Now even they have been required to allow back doors to the platform in foreign countries. It is what it is, you are in their country, using their network, they have the ability to do what every they want. In their eyes there is no such thing as privacy while in their country. Your best bet is to get a dumb phone and only discuss things you want other people to hear. Use your smartphone as a PDA, off the network.

Android, Symbian, and Maemo (1)

Weezul (52464) | more than 3 years ago | (#35238588)

I'd believe that only Maemo offers moderately convenient gpg encrypted mobile email, not via the default email client sadly, although maybe you could hack that. Afaik, Maemo boasts the only mobile OTR messaging solution too. Android and Symbian beat out Maemo when your talking encrypted voice calls however since only they boast Zfone implementations. If the country is evil enough though, they might not even have access to skype conversations, not sure how skype handles baddies.

Afaik, all modern mobile platforms support virtually all VPN protocols. Android will handle ssh tunnels once you jail break it, presumably the same for Symbian. iPhones, Blackberries, etc. will get messy wrt port forwarding. I'd imagine that only Maemo will offer seamless SOCKS5 support, but maybe Android. VPN also offers the most plausible deniability if they catch you using encryption.

I've cannot comment on encrypting the contents of the phone under Android and Symbian, but Maemo supports some encrypted file systems from Linux [maemo.org] and Easy Debian offers all the others. We're hearing about dual core phones running Android and Debian simultaneously. So maybe you should get your encrypted filesystem running on your N900 now, but plan on buying a dual Android & Debain device once your N900 gets long in the tooth?

In practice, you shouldn't really worry too much about your random comments or encryption usage. American citizens won't get harassed too badly unless they're clearly a threat, i.e. an activist, journalist, etc. If your not America, then you should seriously check into the country. Saudi Arabian employers love keeping people there as slave labor by taking passports, even heard about them doing this to French people.

Stay at home? (0)

Anonymous Coward | more than 3 years ago | (#35238590)

I'd suggest you don't do anything. If you're going to live somewhere like that why would you want to draw attention to yourself by making it look like you're hiding something? If you've got nothing to hide then no need to hide anything. If you do have something to hide then why go there in the first place?

As a rule of thumb - if you can't live without the pr0n then don't move to a country where having pr0n will get you into serious trouble.

Android works pretty well (1)

t2t10 (1909766) | more than 3 years ago | (#35238620)

It supports both regular VPN and tunnelling with ssh (or any other command line program). The browser can be configured to go through a proxy if you like. If you want a mainstream phone, that's probably the best way to go. There are also lots of encryption solutions.

iPhone is nearly useless from a security point of view: when the VPN connection shuts down (as it does from time to time), it starts transmitting your data unencrypted; totally unacceptable!

If you want any more control, you probably need to get an N900 (while you still can).

You can get a little flexibility by using a mobile WiFi hotspot and a separate WiFi enabled internet access devices (e.g., Android tablet, Android phone, etc.).

OpenVPN works on Nokia N800 (0)

Anonymous Coward | more than 3 years ago | (#35238622)

OpenVPN works on Nokia N800, so I'd be surprised if it doesn't on the N900.

Find a friend in your home country who is willing to run an openvpn server or get a $20/month VPS plan that allows long running processes like openvpn and make all your non-local connections go through the VPN connection.

You won't be streaming TV or VoIP thru it, but all your other traffic will work just fine and be unbreakable. Always use SSH to remote into the VPN server.

Don't go. (1)

sdguero (1112795) | more than 3 years ago | (#35238640)

It's not worth it.

Technology is not the issue (1)

lowlands (463021) | more than 3 years ago | (#35238668)

Technology is not the issue: get your favorite OS instance from your favorite cloud provider/hoster or whatever, setup ssh and openvpn. Part 1 done. Now hop on irc.freenode.net to #asterisk or #freeswitch and ask around for a provider that offers encrypted SIP calls using TLS/SRTP or even ZRTP using non standard ports (like 80, 443, 25 etc.). If your new overlords don't block ports perhaps Skype works too. Use creditcard to throw some cash at the service, configure phone. Part 2 done.

Bottom line is that when you are in a country with scary overlords with many scare drones who like to see you in a scary basement with scary tools you want to keep your head down, do the work, grab the pot of gold (I hope) and get the hell out. If you are from the US be prepared for some serious negative sentiment towards you and the US in general. Do not comment on anything political ever. Do not comment on the pothole in the street, the food, the music, do not comment on girls/women ever. Basically do not comment on anything. Just smile, shut up, respectfully say you have work to do and back out of the discussion as fast as you can. And remember, your biggest "friend" is probably the guy that reports about you every night and gives the other scary drones the intel based on which they might decide to drag you into one of their basements. Do not confide in any person. Oh and just because some other expats say there's no problem with having a few alcoholic beverages at home does not mean that it's save for you. Just imagine the scary basement with the scary tools before you do something that is totally normal in the US but might be or is conceived as insulting and illegal in your nice new restrictive country.

I hope it's worth it.

Re:Technology is not the issue (0)

Anonymous Coward | more than 3 years ago | (#35238750)

Bottom line is that when you are in a country with scary overlords with many scare drones who like to see you in a scary basement with scary tools you want to keep your head down, do the work, grab the pot of gold (I hope) and get the hell out. If you are from the US be prepared for some serious negative sentiment towards you and the US in general. Do not comment on anything political ever. Do not comment on the pothole in the street, the food, the music, do not comment on girls/women ever. Basically do not comment on anything. Just smile, shut up, respectfully say you have work to do and back out of the discussion as fast as you can. And remember, your biggest "friend" is probably the guy that reports about you every night and gives the other scary drones the intel based on which they might decide to drag you into one of their basements. Do not confide in any person. Oh and just because some other expats say there's no problem with having a few alcoholic beverages at home does not mean that it's save for you. Just imagine the scary basement with the scary tools before you do something that is totally normal in the US but might be or is conceived as insulting and illegal in your nice new restrictive country.

Australia is a tough country to do business in.

Plausible deniability? (2)

c0lo (1497653) | more than 3 years ago | (#35238714)

Entering as a foreigner in the country will flag you for sure. Man-in-the-middle attacks are possible.

I'm not worried about encrypting SMSs or traditional voice traffic, but I would like all IP traffic as secure as possible.

If your traffic doesn't require real-time reporting of events (i.e. a delay of 2-3 hours between the event and the report is OK) and doesn't require large amount of data (i.e. text reports rather than video).
1. As you control both ends of the communication, consider a prearranged set of one-time pads
2. Plausible deniability [wikipedia.org] - including steganography and Rubberhose filesystem [wikipedia.org]
3. Netbook instead of a smart-phone? (easier to arrange, no need to hack the phone)

Good luck.

Could be dangerous ... (4, Insightful)

gstoddart (321705) | more than 3 years ago | (#35238740)

Before you start trying to figure out how to circumvent being spied upon by the host government, maybe you should look into the possible consequences of this. It may well be that if they find out that you're doing this, things could really turn out bad for you.

It's generally a good idea to try to actually obey the laws of the country you're going to, especially if it's as volatile as you say it is. If you're a foreign national and don't have any sort of diplomatic protections, you could be playing a risky game.

Just use https (1)

MobyDisk (75490) | more than 3 years ago | (#35238768)

From what I know, an encrypted data connection is of limited value.

1) If you are using HTTP, the ISP can listen-in on you even if the communication to the tower is encrypted.
2) If you are using HTTPS, and the certificates are properly validated, then the communication is encrypted from the phone to the tower past the ISP and all the way to the web site. They can't listen in on you at any level. The only potential gain I see see to encrypting the data communication as well is that someone can't tell what site you are visiting by intercepting the phone's data connection. (HTTPS doesn't hide that.) But then that can be seen by the ISP.

Also, I'm not sure if you can trust the data encryption. How can you tell that the phone is using it? Or that the tower is using it? Or that it isn't breakable?

mobile phone app (0)

Anonymous Coward | more than 3 years ago | (#35238808)

A few days ago someone questioned me about the same problem and if there is a chance to build an app (iPhone in this case) that is able to send SMS like messages encrypted paranoidly in way that if either the server, the line or the clients are unsafe the message still be extremely difficult to be opened by someone else as intended destination.

But as i read these posts i just see it the same way as the other guys who say that it could be an eyecatcher for some instances if you encrypt your messages and cause trouble.

N900, duh. (0)

Anonymous Coward | more than 3 years ago | (#35239032)

1. N900 w/ Maemo 5 + POWER kernel (for IPSec) + ipsec-tools (http://natisbad.org/debian-n900) + IKEv2 (optional)
2. the Internets over cell network
3a. home openwrt router + NAT (optional)
3b. home *NIX machine + ipsec-tool + IKEv2 (optional) + squid
4. the Internets over home network (BAM)

I have not successfully implementented IPSec from/to my N900, but it should work with.

Required to Provide encryption keys (0)

Anonymous Coward | more than 3 years ago | (#35239040)

Remember that in some countries (eg UK) you are legally required to provide all encryption keys to the authorities when asked. To fail to do so is an offence in itself, regardless of the content of the encrypted material.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...