×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

PGP Creator's Zfone Encrypts VoIP

CmdrTaco posted more than 8 years ago | from the so-stupid-easy-i-can-use-it dept.

150

Philip Zimmermann, creator of PGP wrote in to tell me about Zfone, his new system for encrypting any SIP VoIP voice stream. His first release is Mac & Linux only. I tested it with him using Gizmo as our client and it was pretty trivial to use. While it should work on most any SIP compatible VoIP client, he hopes that clients like OpenWengo and Gizmo will incorporate Zfone directly into the UI. Zfone has no centralization, and has been submitted to the IETF. He hasn't yet determined a license, but he believes strongly in releasing source code for all encryption products. A windows client is forthcoming.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

150 comments

First Post from the Badger State! (-1, Offtopic)

scottv67 (731709) | more than 8 years ago | (#14921001)

Go Packers! Go Badgers!

Re:First Post from the Badger State! (-1, Offtopic)

scottv67 (731709) | more than 8 years ago | (#14921009)

Oh c'mon! Give this cheesehead a break. I thought I would get modded-up, not down, for being FP. :^)

typo (5, Funny)

Yahweh Doesn't Exist (906833) | more than 8 years ago | (#14921002)

>His first release is Mac & Linux only.

you misspelled Windows.

oh... that makes a refreshing change.

Re:typo (1)

fossa (212602) | more than 8 years ago | (#14921048)

The article actually says all three: "The current Zfone software runs in the Internet Protocol stack on any Windows XP, Mac OS X, or Linux PC". But yes, very refreshing.

Kiss my dong goodnight (-1, Offtopic)

(TK)Dessimat0r (668222) | more than 8 years ago | (#14921005)

LATVIAN HOUSE, QUIET AS SHIT, AREEMS WAS ASLEEP, STROKING HIS TIT, SUDDENLY WOKEN BY THE THOUGHTS OF FOOD, HE WANDERED DOWNSTAIRS TOTALLY NUDE, WITH A 1 INCH ERRECTION, HE OPENED THE FRIDGE, A MAN SAT BESIDE HIM, LADEN WITH GRIDS, THE MAN WAS A NIGGER, HE LOOKED LIKE A MESS, WHY WAS THIS MAN WEARING A DRESS? THIS MAN WAS A DARKIE FROM THE GNAA. UNKNOWN TO AREEMS, HE WAS TOTALLY GAY.

HIS 20 FOOT DONG STARTED TO RISE -- HE COULD SEE THE FEAR IN AREEMS' EYES. DON'T BE SHY, HE SAID, WITH A CAMP INFLECTION, ITS OKAY TO GET AIDS FROM A HIV INFECTION. ANNOUNCING HIS PRESENCE, HE PLUNGED INTO AREEMS, HIS O-RING WAS TEARING AROUND THE SEAMS. AREEMS FELT HIS PRESENCE INSIDE HIS ASS, WITH REMAINS OF DOUGHNUTS STILL YET TO BE PASSED.

THE BLACK MAN MOVED FURTHER INTO AREEMS, VISIONS OF CAKES STILL IN HIS DREAMS. THE NIGGER CAME AND THE BUG WAS PASSED, AREEMS GAVE A FUCK AS THE HOUSE WAS GASSED. THE SS WAS HERE, READY TO KILL, HITLER'S MEN GAVE OUT A SHRILL. "SCHNELL", THEY REPEATED, AS AREEMS WAS CAPTURED, PACKED INTO A TRAIN HEADED FOR RAPTURE.

WHEN HE ARRIVED, GREETED BY JEWS, THIS PLACE HAD FOOD -- HOW COULD HE LOSE? PACKED INTO A CELL AND GIVEN HIS FEAST, JEWISH CORPSES BLOATED WITH YEAST. A TASTE OF ZYKLON-B AS HE TUCKED IN, THIS PLACE WAS SOME SORT OF JEWISH BIN. COULD IT BE AUSCHWITZ? HE ASKED THE ASSCLOWN. HE LAUGHED AND SAID THAT THIS WAS IN FACT #BANTOWN.

AREEMS WAS CONFUSED -- WHY WAS HE HERE? FEASTING ON CORPSES FOR OVER A YEAR. YOUR POSTERIOR, HE SAID, IS USEFUL TO US. YOUR ANUS AFFORDS US A GREAT SOURCE OF PUS. THE FATTER YOU GET, THE MORE YOU PRODUCE, WE WANT YOUR ASS TO BE TOTALLY LOOSE. OUR MEMBERS ARE KILLED AND THEN FED TO YOU, WE EXTRACT YOUR PUS TO USE IN OUR COUP.

AREEMS COULDN'T CARE LESS, AS LONG HE FED, IT SADDENED HIM TO HEAR THAT HIS FRIENDS WERE DEAD. AREEMS GREW TO HIS CAGE AND THEN READIED HIS REAR, THE LOOK ON HIS FACE WAS ONE OF FEAR. THE DEVICE WAS TURNED ON, AND A WHIRRING BEGAN. THE PUS WAS EXTRACTED INTO A PAN. THIS WAS THEN EMPTIED INTO A BOTNET DEVICE -- A LINUX SERVER THAT ALREADY CRASHED TWICE.

THE MACHINE CAME ONLINE, AND ENTERED #GNAA, CAUSING A SMALL AMOUNT OF DISMAY. THE OPS SET A PASSWORD, AND THE CHANNEL WAS STILL. IT SEEMS THEIR DEVICE DID NOTHING TO KILL. FAILURE OCCURED, AND BANTOWN WAS SHIT, THEY WROTE ON THEIR BLOGS THAT THEIR WRISTS HAD BEEN SLIT. WHAT A PATHETIC EXISTENCE, AREEMS SAID AS HE CRIED, HE WAS TRAPPED IN HIS CAGE UNTIL HE DIED.

  Allowed HTML


   


    • URLs
      http://example.com/ [example.com] will auto-link a URL
      Important Stuff

              * Please try to keep posts on topic.
              * Try to reply to other people's comments instead of starting new threads.
              * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
              * Use a clear subject that describes what your message is about.
              * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)

      Problems regarding accounts or comment posting should be sent to CowboyNeal.

        Allowed HTML


         


      URLs
      http://example.com/ [example.com] will auto-link a URL
      Important Stuff

              * Please try to keep posts on topic.
              * Try to reply to other people's comments instead of starting new threads.
              * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
              * Use a clear subject that describes what your message is about.
              * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)

      Problems regarding accounts or comment posting should be sent to CowboyNeal.

        Allowed HTML


         


      URLs
      http://example.com/ [example.com] will auto-link a URL
      Important Stuff

              * Please try to keep posts on topic.
              * Try to reply to other people's comments instead of starting new threads.
              * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
              * Use a clear subject that describes what your message is about.
              * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)

      Problems regarding accounts or comment posting should be sent to CowboyNeal.

        Allowed HTML


         


      URLs
      http://example.com/ [example.com] will auto-link a URL
      Important Stuff

              * Please try to keep posts on topic.
              * Try to reply to other people's comments instead of starting new threads.
              * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
              * Use a clear subject that describes what your message is about.
              * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)

      Problems regarding accounts or comment posting should be sent to CowboyNeal.

My only concern (5, Interesting)

QuaintRealist (905302) | more than 8 years ago | (#14921010)

...is that the US (yes, I live there) will use security fears relating to terrorism to ban or severely restrict this technology. Some elements of our government seem almost Luddite (http://en.wikipedia.org/wiki/Luddite [wikipedia.org]) these days.

Sad, because this kind of encryption would permit greater use of this technology in medicine under HIPPA privacy regulations.

Re:My only concern (2, Interesting)

grub (11606) | more than 8 years ago | (#14921021)


Entirely off topic, but it'd be nice if /. supported linking to wikipedia entries with a simple tag, ie.: if you could have used [[Luddite]] in your post much like how it works on wikipedia.

If you use that idea, Taco, I want a piece of the action!

Re:My only concern (4, Insightful)

Anonymous Coward | more than 8 years ago | (#14921051)

I'd say it's dissapointing that the post had to link to a definition of Luddite in the first place.

Re:My only concern (1)

grub (11606) | more than 8 years ago | (#14921502)

Heh, yeah. I just saw the link and thought "Easy option to add, why not?"

Re:My only concern (2, Insightful)

Aspirator (862748) | more than 8 years ago | (#14921025)

I presume that this will be released outside the US, and allowed to migrate in.

Even then I'm sure that there will be attempts by the US Government to
prevent its use.

This is a significant advance in the search for privacy.

Does it matter??? (1)

Saeed al-Sahaf (665390) | more than 8 years ago | (#14921075)

But Phil Zimmerman and his organization are not based outside the US. I'm not a lawyer, but I don't think (and maybe I'm talking out of my ass) it would matter any. If there are laws, I bet he'd be breaking them wherever he released it. He can't just put it in his pocket and walk across the border and call it good, the Black Helicopter Guys won't buy that.

Re:Does it matter??? (2, Informative)

Aspirator (862748) | more than 8 years ago | (#14921127)

You're right. I have now downloaded the source, from within the US.
There are prohibitions on export in the (many) terms to which you have to agree.

How long before it's all over the world?

It would also.. (3, Insightful)

TheAxeMaster (762000) | more than 8 years ago | (#14921036)

It would also almost totally negate any ISP's attempt at shaping VOIP traffic to try and get people to buy their service instead. This has been somewhat of a question in recent months, but if you can encrypt your stream, then there's not much chance they can slow your packets. I'm all for the increased security as well. Now if we can only get them to cut down on the spam....

Re:It would also.. (0)

Anonymous Coward | more than 8 years ago | (#14921157)

slow all packets that they can't identify what they are. Because if you are using their service, they know what it is.

Re:It would also.. (1)

webweave (94683) | more than 8 years ago | (#14921594)

Hence we are back to stenography.

Re:It would also.. (4, Funny)

ozmanjusri (601766) | more than 8 years ago | (#14921617)

Hence we are back to stenography.

Is that shorthand for steganography?

Re:It would also.. (0)

Anonymous Coward | more than 8 years ago | (#14921681)

> > Hence we are back to stenography.
>
>Is that shorthand for steganography?

What if he's using TCP/IP over carrier pigeon? He's gotta write those bytes down onto something!

(I suppose the VoIP equivalent would be TCP/IP over parrot?)

Re:It would also.. (2, Funny)

ozmanjusri (601766) | more than 8 years ago | (#14921768)

He's gotta write those bytes down onto something!

Not really, - no coconut = 0, with coconut = 1.


(I suppose the VoIP equivalent would be TCP/IP over parrot?)

Good thinking. I wonder how many parrots each pigeon could carry.

Re:It would also.. (1, Informative)

Anonymous Coward | more than 8 years ago | (#14921235)

It would also almost totally negate any ISP's attempt at shaping VOIP traffic to try and get people to buy their service instead.

No it wouldn't. This system doesn't use steganography to hide its protocol, so it's obvious to any application layer sniffer. It also does nothing to hide traffic data, i.e. source and destination addresses. That requires something like Tor [eff.org]. Telcos can selectively degrade service based on protocol and traffic analysis.

The only thing this would prevent is shaping based on the content of VoIP calls. Voice recognition on that scale is probably cost prohibitive for telcos at this point.

traffic shaping reality check (1)

venixflytrap (961224) | more than 8 years ago | (#14921306)

ermm.... unless the traffic were going over totally standard ports... which it still is.

Tangentially, let's not forget that sometimes one *wants* to be able to shape traffic. If you can't tell a voip call from an evercrack connection, they both get equal priority, and that's bad news for your mom and 911.

--Naomi

Re:traffic shaping reality check (3, Insightful)

wolrahnaes (632574) | more than 8 years ago | (#14921621)

The mention of 911 gives me an idea for an interesting angle to ensure ISPs can't neuter VoIP.....claim that by doing so they're endangering lives in the event of a 911 call.

Re:My only concern (2, Insightful)

lucm (889690) | more than 8 years ago | (#14921083)

Many country have much more severe regulations against encryption technologies than the USA. Just a few years ago there was an incredibly severe law in France, stating that even domestic encryption was under the government control.

Believe it or not, you actually live in a (somehow) free country.

Well said (1)

QuaintRealist (905302) | more than 8 years ago | (#14921123)

You know - I appreciate exactly what you're saying. This really isn't a bad country in a lot of ways, but it's always easier to complain about the things that are broken than to fix them. I'm trying to do better at that, but...

You remind me of the Churchill quote. You know, the one about democracy being the worst system of government except for all the others.

Re:My only concern (0)

Anonymous Coward | more than 8 years ago | (#14921270)

Damnit -- that's HIPAA. I know most of the sections on encrypted data transfer pretty well (only a few memorized) -- but what in there would require encrypted voice transfer? Moreover, most MD's don't even understand basic encryption much less can you expect a stressed family or demented patient to manage -- heck it's a miracle when they can remember 7 digits.

On the other hand, either NSA is dropping bricks right now or they are just whistling along since they already know how to break pgp-ish encryption and are doing well at keeping it hushed. Sounds like the semi-domestic wiretapping problem may have just gotten much harder -- don' worry though we'll through go-to-the-moon-by-the-end-of-the-decade resources at cracking these enemy transmissions so we an keep the erl a-flowin outta Sowdy.

Saw a bumper sticker: Jan 20, 2009: The End of an Error

Encryption (3, Funny)

Mark_MF-WN (678030) | more than 8 years ago | (#14921654)

Let's be honest -- this guy needs to go to jail NOW. Privacy is almost as treasonous as sharing or questioning your leaders.

Re:My only concern (2, Funny)

JimXugle (921609) | more than 8 years ago | (#14921718)

So... are you suggesting we destroy our textile machines? I've got some TNT around here somewhere...

My security fears (5, Interesting)

webweave (94683) | more than 8 years ago | (#14921766)

I don't live in the US but I live very close and almost all of my IP traffic travels through the US at some point and my worry is that any business information collected by the US/CIA/FBI or other US agency would be made available to US companies. There have been court cases in the past of US sponsored spying benefiting US companies. They say they are after terrorist but who knows? With the knowledge of past activities of US spies and the current computing power of the US agencies all foreign businesses would be well advised to encrypt all sensitive information.

http://www.motherjones.com/news/feature/1994/05/dr eyfuss.html [motherjones.com]

http://web.nps.navy.mil/~relooney/4141_Spring2002. pdf [navy.mil]

http://www.commondreams.org/headlines/070200-02.ht m [commondreams.org]

Not using encryption is to believe GWB when he says "Trust me"

Important Stuff (4, Insightful)

WebHostingGuy (825421) | more than 8 years ago | (#14921017)

This is important stuff as more and more phone traffic is routing open in the internet. While most people do not believe their emails are totally private, when it comes to talking on the phone I believe there is a perception (and assumption) that no one else is listening. SIP, Asterisk and all the flavors of VOIP is changing telecom and encryption is necessary.

I agree, it is hugely important (4, Insightful)

maillemaker (924053) | more than 8 years ago | (#14921146)

Hopefully, this will be the straw that breaks the camel's back.

Ultimately, ALL traffic should be encrypted, whether it is VOIP, email, web browsing, whatever.

The guy is right when on his home page he talks about how it is so difficult to implement this sort of stuff as an add-on for emails, managing keys and the like. It's why no one does it. Of course, there has always been a computing overhead, also, which is why only pages that "need" to be secured currently are. But as horsepower goes up, those limitations should go away.

Ultimately, it should be a matter of course before all traffic that goes in our out of your computer is encrypted by default.

Hopefully this is the start of something huge!

Steve

Re:I agree, it is hugely important (1)

ScrewMaster (602015) | more than 8 years ago | (#14921297)

Adequate horsepower has been here for a long time, at least for basic communications such as email. A grasp of the importance of privacy (and the relevance of encryption to that end) is what is lacking. Besides, if public awareness were such that the technology were in demand, you'd see motherboards with hardware encryption and drivers already in place. Perhaps, if privacy intrusions such as identity theft (and governmental abuse) continue to increase in frequency and severity, encryption-by-default will be something that Joe Average insists is in his shiny new Best Buy box. Of course, that view would be decidedly unpopular with law enforcement, but at this point in time, I consider law enforcement to be nearly as big a threat as your average phisher. I don't have anything to hide ... but frankly, they have no need to know even that much about me. NOTGDB.

Re:I agree, it is hugely important (2, Insightful)

utlemming (654269) | more than 8 years ago | (#14922049)

I tend to agree that with CPU's increasing in speed and power, that the cost of encyrpting goes down. But also the cost of breaking the same codes goes down. Right now it takes 2^120 rounds to break AES encrpytion while trying to brute force. So in order for the higher speeds of the CPU argument to hold to encrypt everything, encryption technology will have to go up. Right now 128 bit is acceptable, but as speeds increase, then the encrpytion will have to be changed as well. And that will require faster processors.

Re:I agree, it is hugely important (3, Informative)

stephentyrone (664894) | more than 8 years ago | (#14922204)

yes, but the nice thing is that for most encryption methods, the work to do the encryption grows linearly (at worst polynomially), whereas the work to break the encryption grows exponentially in key size. the larger the key gets, the bigger the gap between work to encode and work to decode.

Re:I agree, it is hugely important (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14922234)

Ultimately, ALL traffic should be encrypted, whether it is VOIP, email, web browsing, whatever.
No, it shouldn't. Just because encryption is a very useful hammer does not mean that everything is a nail.

Thanks to Moore's Law, encryption is cheap -- but it's still not free. That's OK for things like E-mail, where the two end-systems handle only a handful of messages at a time. But if the Web suddenly switched from HTTP to HTTPS overnight, Web servers would collapse left and right from having to juggle thousands of simultaneous encrypted connections. Plus, the overhead for setting up an encrypted link is much higher than an unencrypted link, thanks to things like session key negotiation; for short-lived sessions like most HTTP traffic, the cost of setting up the link would dwarf the cost of actually transmitting the data.

There are a lot of networking applications where the contents of the packets is just plain not worth protecting from sniffers. Things like multiplayer games and most Web surfing usually fall under that category. There's no reason to force the added overhead on those applications just because we can.

Re:I agree, it is hugely important (3, Informative)

Myria (562655) | more than 8 years ago | (#14922361)

Almost all commercial multiplayer games use encryption as security-through-obscurity, usually by using custom algorithms. In online games, you're trying to keep cheaters from manipulating packets, not keep eavesdroppers from watching.

For https and such, setting up the connection is the majority of the work. Public-key key exchange (public-key certificates, Diffie-Hellman, etc.) is an expensive operation because it requires a modular exponentiation on the part of the server. However, once the connection is set up, the cost of encrypting each packet is extremely small.

Melissa

A-Splode (-1, Troll)

pete-classic (75983) | more than 8 years ago | (#14921022)

George Bush's head a-splode.

-Peter

Re:A-Splode (0)

Anonymous Coward | more than 8 years ago | (#14921067)

Encrypting phone calls would be worse than committing a stnank. Do so and Trogdor will burninate yo' ass!

No... there's no easter egg... I don't feel like it.

Re:A-Splode (1)

pete-classic (75983) | more than 8 years ago | (#14921393)

Grumberto? Is that you?

-Peter

Re:A-Splode (0)

Anonymous Coward | more than 8 years ago | (#14921535)

Nope, just an abuse Red Steckled Elbermung (Sr.) At least I get some good The Chekts to eat when Grond Sad eats all of the pizza and Crisps.

Phil and Jon (4, Funny)

MDMurphy (208495) | more than 8 years ago | (#14921030)

For some reason I got to thinking about Phill Zimmerman and DVD John [Johansen]. Both seem to pop up now and then and give us all reasons to smile.

Hmm... I wonder if Phil could come up with security that Jon couldn't find a way around?

Re:Phil and Jon (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14921050)

yeah, and then a couple years later a bug ridden open sores knockoff is released.

Yeah, but why the heck didn't he call it ... (0)

Anonymous Coward | more than 8 years ago | (#14921068)

PK-SIP ?

Sheesh, Phil, now that would have made me laugh!

Re:Phil and Jon (0)

Anonymous Coward | more than 8 years ago | (#14921070)

You do realise that "DVD Jon"'s reputation is built on a hack he didn't do, don't you? He's done good work since then, but the thing that earned him his reputation and nickname was somebody else's work. Better to call him by his proper name than his nickname.

Re:Phil and Jon (3, Insightful)

merreborn (853723) | more than 8 years ago | (#14921253)

I'm sorry, did I miss the story about DVD John breaking the public key encryption model? And blowfish? And the cypher du-jour?

He's released cracks for various pieces of software, but it's not like the guy's actually broken actual strong encryption algos.

http://en.wikipedia.org/wiki/Jon_Johansen#Other_pr ojects [wikipedia.org]

Re:Phil and Jon (4, Insightful)

Jah-Wren Ryel (80510) | more than 8 years ago | (#14921864)

He's released cracks for various pieces of software, but it's not like the guy's actually broken actual strong encryption algos.

And such 'cracks' are the best way to attack otherwise strong crypto-systems - don't try to crack an algorithm -- crack the implementation. Look for the vulnerabilities in the systems that use strong cryptography and find the back-doors, or break in a hole in the wall, but trying to go mano-a-mano with the entire crypto community isn't a smart thing and you are exactly right -- that isn't what DVD-Jon has ever done.

Not that I would imply that CSS is a strong algorithm, it ain't. But the new stuff for BLU-HD-RAY uses AES and the stuff that the Zim-man is using to security VOIP also uses tried and true crypto algorithms. That doesn't mean there won't be flaws in the implementations that can be exploited and Jon-Jon He's Our Man, If He Can't Exploit It, No One Can!!! Yeah Jon. Or something like that.

Re:Phil and Jon (1)

nodialtone (580061) | more than 8 years ago | (#14921783)

Probably not. I am smiling anyway. A standard for VoIP is sorely needed. Albeit, it is still p2p encryption now, I am all for it and like where this is headed. So much so, I am spreading the news myself thanks to this article. http://www.securityideals.com/ [securityideals.com] Give me a -3 please! I need it.

ATTENTION /. MODS: DO NOT MOD THIS DOWN!!! (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14921046)

This comment is NOT a troll! DO NOT MOD THIS COMMENT DOWN!!!

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Nulla ornare. Phasellus pede turpis, tempus non, nonummy non, eleifend eget, felis. Fusce sed lorem. In suscipit, justo nec rhoncus viverra, mauris nunc varius ligula, sed imperdiet libero nisl ut magna. Suspendisse porttitor consectetuer eros. Vivamus fermentum, elit eu lacinia feugiat, tellus mi vestibulum mi, quis nonummy nibh dui et ligula. Maecenas lobortis porta nisi. Proin pede lorem, sodales at, viverra vel, vulputate consectetuer, tortor. Aliquam erat volutpat. Etiam eget ipsum eu neque iaculis fermentum. Duis consectetuer, arcu sit amet lobortis tincidunt, dui massa hendrerit velit, ac dapibus tortor lectus in purus. In fringilla faucibus turpis. Donec blandit felis nec nibh. Fusce congue velit vel pede. Aliquam erat volutpat. Nunc felis.

Cras libero enim, auctor id, tempus vel, posuere facilisis, dolor. Sed ut felis pharetra enim tristique fermentum. Nam tellus. Proin urna sapien, accumsan nec, ultrices id, bibendum et, lectus. Vestibulum ullamcorper, magna nec accumsan sagittis, nunc velit aliquet odio, in venenatis ligula urna eget odio. Duis et nunc. Ut lacinia, lorem quis viverra gravida, enim libero tincidunt erat, ut aliquet nulla tellus nec diam. Etiam enim. Vivamus eros. Donec vitae tortor. Sed venenatis, ipsum non aliquet posuere, justo dui posuere neque, ut aliquam pede purus faucibus mi. Suspendisse orci. Morbi ultrices interdum lorem. Vivamus nec dolor. Donec ut magna. Donec facilisis rhoncus sapien. Sed suscipit. Praesent sit amet ipsum.

Maecenas laoreet commodo leo. Aenean ultrices magna id arcu. Mauris luctus pharetra erat. Vivamus facilisis purus ac tortor. Curabitur eget nunc. Sed pede. Maecenas tempor imperdiet tortor. Sed laoreet dignissim pede. Sed molestie, magna eget auctor suscipit, augue enim ullamcorper mauris, mollis accumsan diam sem vitae eros. Pellentesque sit amet elit. Vestibulum accumsan, risus non tempus dapibus, lacus neque sagittis metus, at lacinia lorem augue ut lectus. Ut a libero quis mi aliquet interdum.

Pellentesque sed tortor a nibh elementum placerat. Aliquam ac tellus. Integer pretium tortor id tortor. Etiam justo. Fusce egestas urna vitae metus. Cras vestibulum dolor nec velit. Aliquam iaculis. Donec tristique pretium mi. Donec sagittis ultrices libero. Integer accumsan hendrerit lectus. Duis posuere. In feugiat, augue at blandit elementum, tortor lectus laoreet magna, tristique volutpat mi nisl in urna. Pellentesque rutrum, nibh non scelerisque vulputate, tellus nisi pharetra augue, dapibus ullamcorper sem nisi eu nisi. Aliquam at augue in orci dictum vestibulum. Pellentesque dui diam, tempor vitae, feugiat quis, ornare eget, pede. Mauris lacinia nisi in lorem. Vestibulum porttitor pretium elit. Aliquam sollicitudin, nibh non vestibulum accumsan, dolor ipsum faucibus libero, ut cursus elit neque adipiscing tortor. Phasellus at elit non turpis molestie rutrum.

Pellentesque elementum ante. Sed nec lacus. Donec quam. Duis nulla risus, accumsan eget, volutpat ac, aliquam vel, leo. Aenean interdum auctor nibh. Morbi tincidunt. Aliquam semper vehicula massa. Phasellus dui enim, placerat in, sollicitudin id, interdum et, enim. Suspendisse ultricies urna non ante. Etiam commodo euismod ipsum. Aenean dui. Suspendisse lobortis dapibus purus. Ut egestas sollicitudin massa. Etiam ut lorem sed eros fermentum nonummy. Maecenas augue nunc, facilisis sed, feugiat eu, hendrerit non, ipsum. Cras non tortor. Aenean sit amet dui. In id libero.

Vestibulum eu est quis sapien dictum consequat. Donec varius pede eget nisl. Cras tristique hendrerit quam. Duis facilisis nisi id justo. Nulla dapibus, est congue lacinia porttitor, tellus libero sodales est, tempor elementum urna enim id nibh. Sed arcu nulla, egestas auctor, lacinia in, fermentum sit amet, lacus. Vestibulum condimentum semper arcu. In cursus ligula non urna. Duis consequat libero ut nulla. Etiam iaculis arcu ut libero. Aenean elementum urna. Suspendisse dignissim, massa eget hendrerit consequat, urna pede commodo augue, at tincidunt nibh velit vel risus. Pellentesque condimentum dignissim tellus. Nulla facilisi. Proin nec nisi.

Aenean pretium, sapien a luctus pharetra, ligula mauris pulvinar libero, in tempus mauris est eu dui. Nulla quis nunc molestie dolor facilisis dignissim. Curabitur non erat. Phasellus magna. Sed ut enim. Curabitur id diam quis mi aliquet euismod. Nullam tortor. Vivamus malesuada. Curabitur facilisis nunc id magna. Donec et nibh. Donec pede libero, dignissim eu, feugiat et, consectetuer vitae, augue. Fusce purus elit, adipiscing ac, pellentesque nec, vestibulum sit amet, sapien. Phasellus ante pede, fringilla non, cursus nec, tincidunt id, turpis. Suspendisse sed diam. Aliquam lectus.

Vestibulum ornare dolor et nisl. Donec tempus. Mauris sed tellus sed mi imperdiet mollis. Fusce vel purus. In pede arcu, pulvinar non, semper sit amet, condimentum sed, eros. Curabitur fermentum, dolor vel commodo mattis, metus purus fringilla orci, vel porta dui nibh non augue. Aliquam molestie. Quisque pretium magna ut arcu. Suspendisse id lectus. Cras sapien est, congue ut, sodales a, pellentesque id, leo. Suspendisse id purus in est sagittis rutrum. Nunc vehicula suscipit sapien. Quisque eget pede a neque venenatis volutpat. Phasellus ligula. Aliquam elementum arcu sed dui. Nulla facilisi. Nullam pharetra justo sed nisl. In dolor leo, interdum et, lobortis a, iaculis ac, erat. Aenean eget enim non metus consectetuer facilisis. Nullam lorem massa, egestas vitae, pellentesque vitae, sollicitudin vitae, nisi.

Aliquam convallis magna nec nulla. Donec imperdiet sollicitudin eros. Donec pellentesque. Suspendisse sollicitudin dictum est. Integer imperdiet tortor a lacus. Aenean ultricies, nunc quis euismod dictum, turpis diam imperdiet quam, ut egestas mauris tellus a mauris. Morbi placerat massa id risus. Nullam accumsan. Sed eget tellus eu lacus porttitor dictum. Pellentesque blandit dui. Proin velit sapien, pretium nec, sollicitudin sed, accumsan ut, ipsum. Pellentesque a orci. Aenean commodo tempor risus. Mauris nec dolor. Vestibulum hendrerit, enim ac aliquet pharetra, odio erat venenatis eros, congue eleifend dui velit aliquet sapien. Cras convallis vulputate nisi. Maecenas eu eros. Vivamus adipiscing nulla ullamcorper purus.

Integer eget nisi. Curabitur quis urna eget metus dignissim blandit. Vivamus risus. Vivamus felis libero, aliquam id, laoreet ac, vehicula a, neque. Nulla facilisi. Donec sed mi vitae erat ultricies congue. Aenean id ipsum. Etiam luctus, enim et commodo laoreet, metus est eleifend massa, eget tincidunt diam massa sed erat. Quisque pulvinar erat auctor tortor. Nullam pharetra tincidunt ipsum. Mauris malesuada. Mauris vehicula commodo ante.

Re:ATTENTION /. MODS: DO NOT MOD THIS DOWN!!! (1, Funny)

Anonymous Coward | more than 8 years ago | (#14921142)

The jedi mind trick doesn't work too well when it's typed. Try again next time. You are not a winner.

Releasing the source (2, Interesting)

romka1 (891990) | more than 8 years ago | (#14921065)

If he releases the sources won't companies like Vonage that are being subjected to voip packet throttling from copetitive ISPs just take it and use this technology for free?

RE: Releasing the Source (2, Interesting)

GoldenWolf (767107) | more than 8 years ago | (#14921944)

It seems to me that Vonage and other US-based VoIP carriers would have a hard time with the department of Justice if they incorporated Zfone into their products. The CALEA requires providers to cooperate with law enforcement wiretapping.

For example, George Bush decides that you're a "Terrorist" and (without a warrant) orders your calls wiretapped. The Feds go to Vonage and demand to wiretap you. This leaves Vonage in a difficult position. What's going to happen if Vonage tells the Feds, "Sorry, but we can't give Bush a recording of this person's phone calls because our software/hardware incorporates strong encryption." Vonage will get hammered for failure to cooperate under the CALEA.

If VoIP providers incorporate Zfone in their software/hardware, you can bet there's some sort of backdoor so law enforcement can record your VoIP calls. If there's a law enforcement backdoor, some black-hat hacker will eventually find it. Then, you're right back where you started--anyone with some technical background can tap your conversation.

The only way Zfone is going to be useful is if it is implemented in an open source application. You can't be 100% sure that there isn't a flawed/buggy implementation or a deliberate backdoor if you can't see and review the source. So don't expect the VoIP providers to implement Zfone in their software. And if they do, unless they release thesource, it's probably snake-oil.


http://en.wikipedia.org/wiki/Communications_Assist ance_for_Law_Enforcement_Act [wikipedia.org]

What ever happened to PGP Phone? (3, Insightful)

WarlockD (623872) | more than 8 years ago | (#14921072)

The MIT Website [mit.edu] has taken it down, but I remember it working somewhat well between two IP address.

Was it just too far ahead of its time?

Re:What ever happened to PGP Phone? (1)

WarlockD (623872) | more than 8 years ago | (#14921079)

Sorry its FONE [pgpi.org] Bleh. Still wonder why no one ever maintained it

Re:What ever happened to PGP Phone? (3, Informative)

Winged (51560) | more than 8 years ago | (#14922190)

PGPFone was a wonderful idea. The protocol it used was messy as all hell. I talked with Phil about it in 1997; he said that it wasn't being maintained because it didn't lend itself to being extended to actually use participants' PGP keys (instead of just "I hear this voice" authentication), and that at that point all rights to it were owned by the company that had just purchased PGP Corporation.

No PKI? (2, Interesting)

fossa (212602) | more than 8 years ago | (#14921074)

Would it be useful to have the option, for those of us who have friends' PGP keys, to do the Zfone key handshake via PGP encryption that rather than verifying something by voice? It's fantastic from a "getting people to use it" perspective that it does not rely on PKI, but those who have already taken the plunge shouldn't be punished :)

Why not encrypt by default (5, Interesting)

Matt Perry (793115) | more than 8 years ago | (#14921094)

This article has me wondering about something. Why aren't we encrypting things by default? Why isn't encryption being built into the protocol when it's designed? It always seems that it gets tacked on afterwards, if at all, and we're worse off in the long run for it. Take VNC for example. If you want that encrypted you're told to send it over SSH. Wouldn't it be great if VNC traffic was encryped by design right from the start? The same applies to any other traffic (VoIP, IM, whatever). What happens is that many people don't encrypt because of the difficultly or they don't know any better. Unencrypted traffic is sent putting them at risk.

We know the network is hostile and retrofitting encryption onto something after the fact doesn't always work either because too many people using the unencrypted protocol, it's too hard to configure (as opposed to being mostly automatic like ssh connections), or just general security ignorance. What's really holding us back?

Encryption is hard (5, Informative)

user9918277462 (834092) | more than 8 years ago | (#14921134)

Because encryption is very difficult to do correctly. And we should all know by now that a false sense of security is worse than no security at all.

There's also the not insignificant fact that encryption is complex to use and administer. Adding in robust encryption is not free from a user-friendliness perspective. Much thought has to be put into reducing the user-visible complexity as much as possible so that the user base will actually use the encryption, and use it in such a way that security is preserved. Not trivial.

Re:Encryption is hard (1)

kwerle (39371) | more than 8 years ago | (#14921358)

No, encryption isn't hard. OK, it is hard, but that's what libraries, encapsulation, etc, are for.

Wanna encrypt VNC?

ssh -L 5900:localhost:5900 somehost.org
vnc to localhost:5900

Was that hard? No.
Why isn't that built into VNC? Because it's hard? No. Most of the reasons are probably legacy export concerns. But I don't think all of it is.

Note that openssh.org is hosted in the netherlands. I don't think that's entirely coincidental.

Securing a socket in cocoa seems to be a single method call on NSStream.

So the reason it hasn't been done is that it wasn't done - and it used to involve legal issues. The reason it isn't done is that coders are lazy.

Re:Encryption is hard (2, Insightful)

Bogtha (906264) | more than 8 years ago | (#14921390)

Wanna encrypt VNC?

ssh -L 5900:localhost:5900 somehost.org
vnc to localhost:5900

Was that hard? No.

That's because you skipped the hardest step - the out-of-band communication necessary to establish key authenticity. The first time you connect to a host via ssh, it displays a fingerprint and asks you if it should be trusted. Most people don't value encryption enough to even bother installing the relevant software, what makes you think that they value encryption enough to figure out a way of validating the fingerprint securely?

Re:Why not encrypt by default (4, Informative)

Savage-Rabbit (308260) | more than 8 years ago | (#14921168)

This article has me wondering about something. Why aren't we encrypting things by default? Why isn't encryption being built into the protocol when it's designed? It always seems that it gets tacked on afterwards, if at all, and we're worse off in the long run for it. Take VNC for example. If you want that encrypted you're told to send it over SSH. Wouldn't it be great if VNC traffic was encryped by design right from the start? The same applies to any other traffic (VoIP, IM, whatever). What happens is that many people don't encrypt because of the difficultly or they don't know any better. Unencrypted traffic is sent putting them at risk.

There are lots of reasons why encryption isn't being widely used. For one thing there is the normal tinfoil hat reason, ie. that the people in charge don't want it becausy they wouldn't be able to stick their nose where it don't belong so they try to prevent such technology from being widely used. Alot has also to do with cost and computing overhead. Encrypting can be an expensive thing to do in terms of computing power and especially so if everything form all the network communications protocols to storage media content is bening encrypted. Doning encryption with special hardware is one solution but that adds cost and also the problem of the hardware algorithms becoming obsolete like WEP for example. Just try to get ahold of, say a 100mb photoshop file. Now copy it into the user home directory of a regular user on an OS.X machine, then do the same for antoher user using 'File Vault'. You will quickly discover that the latter operation takes alot longer since those 100mb's of Photoshop file are being encrypted. You should notice similar problems when comparing normal unencrypted file transfers over a network with transfers over a high strength encrypted link. VPN for example works noticably slower using port forwarding over an SSH tunnel.

Re:Why not encrypt by default (5, Insightful)

Noksagt (69097) | more than 8 years ago | (#14921246)

  • Technological
    • Encryption implementation isn't free.
    • Encryption maintenance isn't free.
    • Unencrypted traffic is easier to sniff (which may be legitimately important).
    • Encrypyed traffic has a higher CPU overhead (which isn't always made up for).
    • Some people prefer to have one really good encryption program (SSH or a VPN) to route all traffic over.

  • Legal
    • Encryption can't always be exported from every country to every other country.
    • Sometimes it may be illegal to encrypt traffic.


Re:Why not encrypt by default (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14921276)

If you want that encrypted you're told to send it over SSH.

I think you've answered your own question. Unix mantra: do one thing and do it well. SSH is the encrypted transport layer. No other communication layer needs encryption.

This is exactly why tar doesn't compress, and gzip doesn't make archives. If you want that tar archive compressed you're told to gzip it.

Re:Why not encrypt by default (0)

Anonymous Coward | more than 8 years ago | (#14921725)

> > If you want that encrypted you're told to send it over SSH.
>
> I think you've answered your own question. Unix mantra: do one thing and do it well. SSH is the encrypted transport layer. No other communication layer needs encryption.
> This is exactly why tar doesn't compress, and gzip doesn't make archives. If you want that tar archive compressed you're told to gzip it.

If anyone with mod points wanted my left nut badly enough to make the trade, I'd deal.

Mod both grandparent and parent up. Innocent american civilian lives depend on it. If you have a spare point, and the GP and P post have been upmodded, mod this AC post down so that it'll be harder to find.

Re:Why not encrypt by default (2, Insightful)

Matt Perry (793115) | more than 8 years ago | (#14921892)

I think you've answered your own question. Unix mantra: do one thing and do it well. SSH is the encrypted transport layer. No other communication layer needs encryption.
So we should manually establish an SSH connection from our mail server to every MTA that we are communicating with? We should also establish a manual SSH connection for IM connections to every IM server that we connect with? SSH isn't a panacea.

Re:Why not encrypt by default (1)

agingell (931397) | more than 8 years ago | (#14921304)

Encryption is unfortunately directly opposed to that other very important networking tool compression.

By definition compression usually uses patterns in order to reduce the amount of data being send and also by definition encryption deliberately removes patterns as much as possible.

This fact is made even worse when the size of the data being encrypted is small as in (IM etc.) as it is necessary to pack the data with extra 'rubbish' data in order that it does not become trivial to decrypt, because it will not contain enough randomness (entropy). This is one of the issues with SSH style protocols, if one character is sent at a time over an encrypted socket then instead of trying to crack the encryption you just use time between keystroke's and the probabilities of the various keys being hit on the keyboard due to their distance apart and typing difficulty. Given a sufficiently large sample it is relatively easy, as long as the same person is typing. There are obviously methods to avoid this.

I agree that it would be great if things were built secure from the start and it will become what happens with any luck, but Internet network bandwidth is going to have to multiply before this becomes a reality. SMTP for instance would be an ideal candidate for encryption however it is bloated enough with the MIME encoding of attachments. Using PGP style plugins is great but again the message size multiplies.

VNC is an interesting one, I personally use it a great deal and mostly over VPN's to manage many disparate server systems, it would be nice if it was not necessary to have to open up the separate VPN's, however all the other traffic, filesharing etc. already use VPN's so really it is not that bad and would result in yet another firewall port to be forwared.

I mostly develope with Java which makes adding encryption to software trivially easy with the securoty libraries which are included by default. This is the case with most languages so the difficulty is not the problem, just speed and data size.

Short example using gnupg:
Message text:
This is a test to demonsrate the size difference
Encrypted text:
hQEOA/xuotSLmEetEAP9E3zO4QuUUYiLZLXUyuIpCf/wYCxQhv J5sdcNrws2sRGGwgpAGS7
A3syqu16/EktGavpjX+pRa74R3WAygphL8xOgw/Jze/zB3RvWJ Y3OBriBzWvN06uB9LuGhx
k2DSieJcGw1zkj89JXTUyKptrW/iFOdEojLXe/V5k/W/coGM4D /1NhB2JOaTqzqvV4I5TPq
0KhLs19Z2cV4J+jGE7rJritBhyGU4lRRPYIjbkRFnYJQ6/iDsj 0Qh/zXLxAF5OMj+CcqzP8
fJvD/ovh9ARnKdNaoAbUCbBY0AWjFY1dgHCItXz0hu4iquhvLl Lqiguj4yXuRlCmwYUZg9u
ZByvAoSBNhQEOAxwUT1jMpp2zEAP/cTX3aH4sOHcnVO6FzO9Qd 8UexU9cFhmPMP/gBAtxQk
uGMzGk5LpXNeL5WPmOnt+TXEWHAHRT/gYMZYZKqxFyn9Fj7cfI NvEFfI5SeqVtQS6/gJ/zf
mBXVP/UimwlgmsVbnS51qhLPRR3WKOoIiPiX+WnZRkp/cTKktD O94HtKHoEALZvrSbgXejd
FYqdcFXifsJoLPUdlVGyjrGkbxXSKRntq/87eXUGe3g7K6/LjQ c2osoNLiqFVTjc7DRVWnN
qdydPwIy+IsOpIuGom+V2I496lydOyKuMJLRUujlqDWRcduesO rkEGl3JbT3p3vo1J05UFV
2Maqon1WdtKfFA/nCF0moBK5rMbK/Fzi7kd5uZ4lviIJZhWIru bqNIROM96YrGzMjWHEwsR
qaPLEXdYY3VBhBb9dzzuAweQAon/uwXtjwvmn7o5JjMAY0/QP5 SEpqCK/37DY3Xxr/qZhwi
e4dZoXFmubLLbd3/5Zv2

Re:Why not encrypt by default (0)

Anonymous Coward | more than 8 years ago | (#14921338)

Werd! It wasn't that hard to set up the ssh tunnel for VNC, it just stinks to have to install cgywin and openssh, then start the VNC server... Damn microsoft for making remote desktop vulnerable to man in the middle attacks. The only reason people don't like encryptation on the internal network is that Snort cant sniff the packets... The dumb thing is that outbound traffic usually isn't filtered by the firewall oh I can keep it port 22 on the way in but 5900 all the way out silly stuff. now h4x0r the gibson ;).

Re:Why not encrypt by default (4, Informative)

chefmonkey (140671) | more than 8 years ago | (#14921480)

Why isn't encryption being built into the protocol when it's designed?

For any IETF protocol developed in the past 10 years or so, it is. For example, RFC 3261 (which defines SIP) makes TLS encryption *mandatory* to implement. It does allow the users/administrators/whatever to turn it on and off, but you can't say your implementation is RFC 3261 compliant unless it contains TLS encryption.

For most other important protocols defined before the IESG required strong security in all protocols, there have been significant efforts to revise them as necessary to provide encryption. For example, RFC 3711 defines a mechanism for encrypting RTP (the voice packets in a VoIP call).

Anyone who bothers to actually implement to spec already has released products that do encryption, many by default. For example if I use the Snom 360 SIP phone on my desk to call anyone else using a client that has actually implemented all of RFC 3261 (instead of whatever small portion of it amused them) and implemented RFC 3711, both the signaling and the media will be strongly encrypted BY DEFAULT. And that's the way it was configured when I took it out of the box.

The fact that some current implementations don't bother following spec impugns their designers and implementors, not the protocols they're using. Using the standardized VoIP protocols available today, everyone *should* be able to make encrypted calls.

great (3, Interesting)

Anonymous Coward | more than 8 years ago | (#14921109)

great idea, this is very much needed. I don't know how secure this actually is, the writer (phillip zimmermann) said he builds the encryption into tcpstack of whatever operating system the user is running and the key exchange is done automatically between hosts.. he also makes the statement that this technology/standard (zfone) would be integrated into the end-user software, in the near future. I'm not sure why he's so confident, it's nice but who's to guarantee any sip softphone end-points or better yet, hard telephones, will actually have this built in.

hmm.. i wonder if I have linux nat router running this (and it being my default gateway, if it will automatically encrypt any sip sessions if the end system is running the zphone gui. I mean this apparently works at the network layer (like tcpdump, promiscuously), I wonder if it has to be running on the same system the sip session is originating from. oh dear, i really need to replace my dlink router these days.

Re:great (1)

venixflytrap (961224) | more than 8 years ago | (#14921353)

he also makes the statement that this technology/standard (zfone) would be integrated into the end-user software, in the near future. I'm not sure why he's so confident, it's nice but who's to guarantee any sip softphone end-points or better yet, hard telephones, will actually have this built in. Because the original version of Zfone *was* a softphone. And I believe he's still working on one. --Naomi

Checksums, distro needs sigged. (4, Insightful)

Anonymous Coward | more than 8 years ago | (#14921141)

As there is no cryptographic signature on the package, these are my sums
as received. Please compare and post if yours are different.

SHA1 (zfone-linux.tar.gz) = aa9ac66a5dce43cff2639787f30e939078b47ebe
MD5 (zfone-linux.tar.gz) = c6a47feca0fd5cb5bf72a8f6a1e8f207

PRZ, please sign your packages! Thanks, World.

SRTP? (2, Interesting)

Gerald (9696) | more than 8 years ago | (#14921144)

What's the difference between this and SRTP [ietf.org]?

Doesn't deal with key management (1)

slyborg (524607) | more than 8 years ago | (#14921758)

This is kind of a major problem since PKI infrastructure hassle is one of the main reason that most people don't use encrypted email, although the means for doing this has been around for years now.

PGPfone, Speak Freely (4, Informative)

Noksagt (69097) | more than 8 years ago | (#14921152)

I can remember Phil's PGPfone [pgpi.org] which was released before VoIP was "the next big thing." It used GSM speech compression and 3-DES/CAST/Blowfish cryptography "to give you the ability to have a 'real-time' secure telephone conversation" (directly over 14.4 Kbps (or faster) modem-to-modem, through the Internet, or through AppleTalk).

That died. It is good to see a new alternative that has adopted newer standards.

Another "oldy but goody" was Speak Freely [speakfreely.org].

Re:PGPfone, Speak Freely (1)

Shanep (68243) | more than 8 years ago | (#14921293)

I can remember Phil's PGPfone which was released before VoIP was "the next big thing."

Me too. However try as I might, with a friend at the other end of a 28.8 connection and also locally in my home between two PC's with 100Mbit/s connections, I could not get anything better than short bursts of audio to either end. It seemed like a duty cycle of about 1 block of sound out of 5 or 10 blocks of silence. A conversation could not be made.

Did you have any luck with PGPfone? I tracked it down and tried it again years later with much faster PC's and had the same disappointing effect. I think I tried it with the V1 series however.

I hope a Zfone proxy is made so that hardware ATA's can be secured?

Re:PGPfone: Full duplex mode did suck (2, Informative)

Noksagt (69097) | more than 8 years ago | (#14921409)

try as I might, with a friend at the other end of a 28.8 connection and also locally in my home between two PC's with 100Mbit/s connections, I could not get anything better than short bursts of audio to either end...Did you have any luck with PGPfone?
I seem to recall that full duplex sucked in this way on 56.6. I think I half duplex (push-to-talk) was passable. But it was also so inconvenient, so I opted to not secure voice traffic. I thought I tried it on broadband with a bit more luck. It didn't seem to suck significantly more than any other VoIP at the time. I do think that the Macintosh version was slightly more reliable (it was originally released on the Mac & eventually ported to win32). (And, again, it didn't suck THAT much more than any other Mac Class app.)
I think I tried it with the V1 series however.
v1+win32 might have been part of the problem. I don't recall the differences between v1 and v2, but NAI seems to have killed much of the goodness in any of the apps they acquired, so I wouldn't exactly hold my breath.
I hope a Zfone proxy is made so that hardware ATA's can be secured?
Indeed. And that hardware SIP devices start adopting it (some should be able to adopt it via firmware, not that the hardware manufacturers will actually DO that).

Re:PGPfone: Full duplex mode did suck (1)

Shanep (68243) | more than 8 years ago | (#14921539)

Indeed. And that hardware SIP devices start adopting it (some should be able to adopt it via firmware, not that the hardware manufacturers will actually DO that).

I hope my ATA has the grunt to do both the codec work and the crypto and they adopt this if it is ratified. I've seen some tables which outline the approximate CPU requirements of various codecs against various CPU architectures often used in embedded (like MIPS). Those tables are apparently intended for choosing CPU's for VoIP devices. I hope my ATA designers were not too cheap to have this crypto.

Great! (0)

Anonymous Coward | more than 8 years ago | (#14921156)

It's about time someone finally followed the EFF's advice!

Related project (5, Interesting)

Anonymous Coward | more than 8 years ago | (#14921158)

There was a presentation from another group (wasn't Phil, although he was there) at DefCon 13 relating to reverse-engineering the GSM voice compression so that data could be fed through a GSM voice link accoustically with almost no overhead (in other words, at close to the GSM native digital bandwidth). The intent being to provide a means to attach accoustic peripherals (handsfree headset for example) that could perform encryption and send the encrypted, digitized voice over the GSM link accoustically (to be recieved and decoded by a similar device on the other end), thus allowing encrypted voice communication over an untrusted and unmodified cell phone without the need to install any software.

Re:Related project (2, Interesting)

twiddlingbits (707452) | more than 8 years ago | (#14921513)

From your description they just re-invented the Modem using Digital instead of Analog and with encryption. This isn't new, the STU-XX secure phones used by the Government for Classified voice calls work very much the same way. Might be some IP infringement issues with thier work as well.

ATTENTION /. MODS: PLEASE MOD THIS POST UP!!! (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14921207)

batman touched my junk liberally. he strapped me in to his batmobile and he couldnt keep his offensive hands off of me. he was performing many red flag touches. i couldnt believe what the fuck was going on. i told batman the city would not approve of a millionaire touching an underage kid
for free.

can you believe it? batman did all this. he picked me off the street, strapped my arms and legs down in the batmobile's passenger seat, and just wouldn't stop fondling my cock'n'balls.

they definately were red flag touches. the goddamn referee he had in the back seat kept on raising up this red flag every time he touched my junk but did batman care? NO WAY! he just kept on doing it. I couldn't believe what the fuck was going on, indeed. I pleaded with batman but to no avail. I told him the city would not approve of such a wealthy man touching an underage kid like me (at the time I was 13) without at least compensating me for the trauma and the use of my body as his own personal plaything.

this got to him, worrying about his image. he continued to fondle me, all the while ignoring the referee's red flags. then he drove the batmobile to my house and ejected the seat i was in! it was amazing. but surprisingly, after I woke up the next morning, my bank account had $150k in it!!! Can you believe it????????????

Well... (3, Interesting)

Anonymous Coward | more than 8 years ago | (#14921255)

SIP is just a protocol that sets up connectivity and media control; the stream itself is not covered by the SIP protocol. For that, you need something that supports Secure RTP (SRTP), which encrypts the payloads of all RTP streams. If you've managed to encrypt SIP, all you're doing is encrypting call setup and feature requests. Your conversation is not encrypted.

Re:Well... (0)

Anonymous Coward | more than 8 years ago | (#14921387)

Anonymous Coward said:
If you've managed to encrypt SIP, all you're doing is encrypting call setup and feature requests. Your conversation is not encrypted


Well, it's great that somebody noticed this. Maybe Philip Zimmermann, creator of PGP, will read your post and realize that he forgot to encrypt the conversation when he wrote this secure phone software.

VoIP and IM (1)

mckayc (307712) | more than 8 years ago | (#14921290)

I'm thinking MSN Messenger and Google Talk should add this to their VoIP features. Right now talking with VoIP unencrypted over the 'net makes me a bit uneasy.

However, though encrypting your VoIP communications might make them more secure, they're also much more likely to be flagged by systems like ECHELON, which automatically tag traffic that is encrypted as suspicious.

Re:VoIP and IM (1)

venixflytrap (961224) | more than 8 years ago | (#14921414)

Given that Google Talk, MSN, iChat, and others all use SIP as a voip transport, and zfone sits in front of any arbitrary SIP connection, you might have luck using these things with zfone, no client-integration directly needed.

--Naomi

Re:VoIP and IM (0)

Anonymous Coward | more than 8 years ago | (#14921461)

You can already enrcrypt the text portion of your favorite IM's.

Haven't you heard of GAIM-encryption. http://gaim-encryption.sourceforge.net/ [sourceforge.net]

There's also a plugin called Off-The-Record(OTR) from cypherpunks. http://www.cypherpunks.ca/otr/ [cypherpunks.ca]

I've got both. First download gaim-enryption, then add the OTR. They're actually independent and don't work on top of each other. I've just got people that use one or the other, and I just select the one I need to encrypt the channel. Both are pretty seamless.

When GAIM finally gets voice, then I'm sure GAIM-encryption will follow with encrypted voice.

Why not use OpenSSL? (2, Insightful)

Cthefuture (665326) | more than 8 years ago | (#14921448)

I know the API isn't the greatest and the documentation completely sucks but someone with OpenSSL knowledge could put together a SIP-friendly API in a couple hours.

At least then you're using a public, well hammered on API and would have a multitude of algorithms to choose from. I mean OpenSSL is used in tons of stuff and gets lots of field testing.

I have never understood the point of PGP with its proprietary crap formats when there are open, standardized formats for the stuff it is typically used for (S/MIME, X509, PKCS#12, etc.) and that are supported in standard applications rather than require some goofy PGP add-on.

Re:Why not use OpenSSL? (5, Informative)

rodac (580415) | more than 8 years ago | (#14921658)

VoIP is different from most other traffic types in that it is hard realtime and needs real low latency. This means VoIP uses UDP

OpenSSL builds encrypted sessions over TCP. TCP is not designed to work well for the requirement space needed by VoIP.
If fact, it just would not work well at all.

Re:Why not use OpenSSL? (4, Informative)

Cthefuture (665326) | more than 8 years ago | (#14921708)

OpenSSL is not just an SSL API. It's a full cryptographic API. The socket stuff is not even in the core crypto library. There is libssl and then there is libcrypto. Both are part of OpenSSL.

OpenSSL is a misnomer.

I didn't mean "use SSL", I meant use OpenSSL the cryptographic library that supports all that standard stream ciphers. You can use whatever networking stuff you want outside of OpenSSL.

Getting this thing to build under Linux (1)

mwilliamson (672411) | more than 8 years ago | (#14921918)

I've not been able to get this thing to build on FC3, FC4 or Debian-Stable. In zfone-linux/srtp-ctr some of the test utilities won't build... no big deal because make install still works. The makefile for zfone-linux/libzfone/bnlib references /bin/install instead of /usr/bin/install. No biggie. Fixed. Installed. Lastly (I stopped here), make of zfone-linux/libzfone totally blew chunks in what at first glance looks non-trivial.

Methinks Phil needs a Linux box!
hehehe j/k.

Has _anyone_ got this thing to build?

Paging Phil (again) (0)

Anonymous Coward | more than 8 years ago | (#14921972)

Hey Phil,

Pretty good response time from the last time I paged you about whether you'd get this out before it was banned/in time.

Glad to see its finally out.

Now, just so I get to use this before I get Asterisk working...and so that a lot of other people start using it by default...

Are we going to see a Vonage version? I'm sure there are problems...how about placing a computer between the incoming router and the Vonage phone adapter? With the subnet provided by my isp, that's my current setup, a dsl modem that also routes the subnet, then linksys routers at each public ip address, plus the Vonage router/adapter at its own public ip address. So I can talk to computers on the lan behind the linksys router, the web server is behind another linksys/ip, and the Vonage adapter on its own ip behind the adsl router and switch distributing to each linksys/Vonage adapter. It would be simple with this setup to place a computer between the Vonage adapter and the switch.

That's assuming your technology would work between the Vonage adapter and any switch or adsl router/modem.

If not, can we expect an update that includes Vonage capability? With the number of Vonage customers, it would provide a much larger userbase for adoption of your tech, so a lot more individual voip users would have their end encrypted.

I'm not holding my breath for Vonage to adopt your tech. They won't. They already made it clear that they are the man in the middle, and therefore they are already intercepting calls for the government. Adopting your technology will throw a monkey wrench in the works, and Vonage will be under pressure to keep providing access to calls, even though competitive pressure may demand some encryption scheme. If they had to encrypt because your tech becomes widely adopted, I still fully expect them to use an alternate encryption scheme, where they retain their man in the middle capability and capability to sniff calls for the government. Or to use an encryption scheme like skype uses, where they refuse to release the source code so it can be independently evaluated for robustness/holes/weaknesses.

Adding Vonage to your market base will help your project, and everyone concerned about security of phone conversations. Please consider it. Thanks for your efforts to date, for everything. Keep it up.

What is the big deal? (2, Insightful)

Guspaz (556486) | more than 8 years ago | (#14922224)

Why do some people jump all over protocol-specific encryption as helping terrorists, or other such nonsense?

There is a great deal of concern over Skype being encrypted. People say it can be used by terrorists for encrypted communication. The thing is, throw up a VoIP server of some kind (Even the free ones like Ventrilo or TeamSpeak), and connect to it using something like Hamachi. Bam! All your UDP voice traffic is encrypted.

Heck, you can even do it with TCP. SSH tunnels encrypting two-way Shoutcast streams. Huzzah! Encrypted two-way voice communication! Heck, pump the shoutcast stream over HTTPS and that'd be encrypted too.

So, this is why I don't get it. Why complain about Skype when there will always be ways to encrypt voice traffic over the internet? Programs like Hamachi (Encrypted P2P VPN solution with an IM-like interface) make it insanely easy to set up more secure solutions than Skype, and there is always SSH tunnels as a fallback.

So how does this relate to the current situation? Well, people are sure to complain that this new program somehow helps terrorists. So I'm just saying that that is BS.

QoS (2, Funny)

Nonillion (266505) | more than 8 years ago | (#14922278)

Hmmmmm, could one use this method to get around some of these pesky Quality Of Service restrictions? Because we all know the carriers like to enforce these things to keep you from getting quality from your VoIP service.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...