Re: VOIP over Wi-Fi subject to eavesdropping?

From: Jeff Liebermann (jeffl_at_comix.santa-cruz.ca.us)
Date: 08/08/05 

Date: Sun, 07 Aug 2005 18:39:38 -0700

On Mon, 08 Aug 2005 00:35:53 +0100, jnitron
<jnitron-nospam@hotmail.com> wrote:

>My point exactly. If the caller is not the subject of attention, then
>security is irrelevant.

I'm sure all the law abiding citizens with government files of their
activities will be gratified to know that the government will not use
the information against them. I'm not the most law abiding citizen in
the US. I do keep skeletons in my closet. I do have some secrets
that I don't want anyone to know about. I also have a collection of
commercial secrets that are not for general consumption. I have
plenty to hide. Whether the evidence collecting is done by our
beloved government, by our trusted business associates, or by
professional informers, is not really important. It's why they find
it necessary to do so that bothers me. Don't blame the victim.

>Paranoia is the hallmark of somebody who has something to hide and he
>believes others have reason to be concerned about.

Ignorance is the hallmark of someone about to get hacked. Someone who
is informed of the mechanics of how privacy intrusions, wireless
sniffing, general hacking, and wireless-tap recordings are done, is
less likely to find themselves compromised than the ignorant. I'm not
suggesting that paranoia should be some type of security measure, but
awareness of exploits and techniques will often do more to prevent a
security breach than all the automagic IDS systems.

>Fortunately most of
>us have nothing to hide.

Oh? Could I trouble you for your bank ID, social security numbers,
birthdate, mother's maiden name, credit card numbers, collection of
passwords, and name of your mistress? Surely you don't think these
should be kept hidden.

>We are more concerned about finding out about
>what is hidden than trying to hide that which most people have no
>interest in knowing.

Well, the line between privacy and security is a thin and shifting
line. The recent example of where Googles president had his privacy
allegedly violated using his own Google search tools is a good example
of the moving line:
  http://money.cnn.com/2005/08/05/technology/google_cnet/
I have successfully horrified customers by digging through various web
sites for their past information. (It's also called "ego surfing").
Addresses and phone numbers are easy. Former employers can sometimes
be found. Old email addresses are fairly easy. Birthdays are spotty
but possible. Until recently, drivers license numbers, SSI numbers,
and some medical records were possible. Whether someone is interested
in this information really depends on what they have in mind to do
with it. Identity theft comes to mind. Depending upon circumstances,
the info itself can be quite damaging. For example, when I found a
customers birthday online, he was almost in a state of panic because
he was lying to his employer about his age.

>Read
>http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf

Good advice.

>or maybe you should read about the British achievements at Bletchley
>Park 60 years ago, which probably saved America's ass at Midway.
>Encoded wireless transmissions are not new and there will probably
>never be a way of making them 100% secure.

Drivel. The US and British were not exchanging decrypts or technology
at that point in the war. While the British were well ahead of the US
on German ciphers, the US had been working for years on Japanese JN-25
ciphers at "station Hypo" in what much later became Arlington Hall.
The Midway decrypts came strictly from US codebreakers. See:
  "Battle of Wits" by Stephen Budiansky
for details of the US efforts.
> http://www.amazon.com/exec/obidos/tg/detail/-/0684859327/103-9342997-4351038?v=glance

>Remember that the vast majority of email sent across public networks,
>even outwith VPN's, is not encrypted.

Did you ever wonder why it's not encrypted? You could easily have
encrypted email and authenticated servers without much difficulty.
There are RFC's describing the techniques in detail. The problem is
that you lose anonymity in the process. It's impossible to encrypt
and authenticate without point a finger directly at the source of any
traffic. There are a large contingent of users that consider
anonymity equivalent to privacy and don't want to lose that for fear
of government or corporate reprisals. I consider this to be a real
fear and the major stumbling block preventing universal encryption.

>Our reliance on the spoken
>word is far less. (For example, President Reagan who said in a
>wireless broadcast ....... "My fellow Americans, I'm pleased to tell
>you today that I've signed legislation that will outlaw Russia
>forever. We begin bombing in five minutes.")

Reagan had quite a few better quotes:
  http://en.wikiquote.org/wiki/Ronald_Reagan
If you've every listened in to an analog cellular conversation (before
it was outlawed), you would wonder why anyone would even want to
listen to that junk. 99.9% of everything I heard was garbage. Yet,
when I yacked with a customer on the way to a server recovery, I
stupidly announced the root password to their servers. For the next
two weeks, someone was trying to break into their system using this
root password (which I changed on arrival because it was time, not
because I was paranoid).

>Remember that the question we are trying to answer was concerned with
>"practical" security, not the level of security that might be needed
>to prevent the interception of thought processes as if in a "Matrix"
>dreamworld.

The technology for doing that isn't here yet. I visualize a bad
science fiction movie, where the victim wears a metal helmet full of
wires, and where a rack full of hardware sucks the thoughts directly
from his brain. Not this week, but maybe in the near future.

>Get real everybody !

I am. It's called "crime-think". 

-- 
Jeff Liebermann     jeffl@comix.santa-cruz.ca.us
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
                    AE6KS    831-336-2558

Relevant Pages

  • Re: VOIP over Wi-Fi subject to eavesdropping?
    ... >security is irrelevant. ... I'm sure all the law abiding citizens with government files of their ... the line between privacy and security is a thin and shifting ... It's impossible to encrypt ...
    (comp.security.misc)
  • Re: Where rubber meets the road in privacy debate
    ... Any hope we may have of keeping government, industry and criminals out of our personal business is scheduled to vanish completely in 18 months, privacy advocates say. ... That's when the federal government's Real ID Act is to be fully in place, effectively setting up a national identification program by requiring states to adopt strict new high-tech standards for driver's licenses and ID cards if they are to be accepted by federal authorities at places ranging from airports to U.S. courthouses. ... The act's passage last year has crystallized the U.S. debate over the delicate balance between individual privacy rights and the government's desire to securely identify travelers, applicants for federal benefits and anyone else who may pose a threat to its security or economy.. ...
    (comp.home.automation)
  • Re: For those "National ID Card" supporters
    ... The danger is that an ID system may give a false sense of security and that may be worse than what we have now. ... Not everyone, of course, believes that privacy is a right assured by the Constitution, but there are certainly many who are concerned that the technology would be abused. ... If the government takes no action, individual companies will compete for market share based largely on proprietary systems. ... The government can be very effective in establishing the development of standards for both the level of security and data standards in order to assure efficiency, effectiveness and confidence in the overall technology. ...
    (soc.retirement)
  • Re: (NDC) Why should *I* be worried about NSA wire tapping?
    ... Bush stomps on Fourth Amendment ... THE ESCALATING controversy over the National Security Agency's data mining program illustrates yet again how the Bush administration's intrusions on personal privacy based on a post-9/11 mantra of ''national security" directly threaten one of the enduring sources of that security: the Fourth Amendment ''right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures." ... By 2001, the court had come to see how new technology could arm the government with information previously obtainable only through old-fashioned spying and could thereby convert mere observation -- for example, the heat patterns on a house's exterior walls -- to a ''search" requiring a warrant. ... This decision, emphasizing the privacy existing when the Bill of Rights was originally ratified in 1791, was no liberal holdover in conservative times. ...
    (rec.music.gdead)
  • Re: (NDC) Why should *I* be worried about NSA wire tapping?
    ... Bush stomps on Fourth Amendment ... THE ESCALATING controversy over the National Security Agency's data mining ... how new technology could arm the government with information previously ... This decision, emphasizing the privacy ...
    (rec.music.gdead)
Quantcast