"Reuters reports that 'Russia's most powerful business lobby moved to clamp down on Skype and its peers this week, telling lawmakers that the Internet phone services are a threat to Russian businesses and to national security.' The lobby, closely associated with Putin's political party, cites concerns of 'a likely and uncontrolled fall in profits for the core telecom operators,' as well as a fear that law enforcement agencies have thus far been unable to listen in on Skype conversations due to its 256-bit encryption."
Think "Echelon"; I'm not sure if the FBI's "Carnivore" is still in operation. Russia's "SORM-IV" is allegedly equivalent to the NSA's Echelon.
For an eye-opening report of AT&T complicity with the NSA, one of the NSA taps on the AT&T Internet backbone was accidentally discovered 7 years ago in a facility in San Francisco and reported in this article from 2007:
Basically, the fiber runs have 2-way optical splitters: NSA gets everything. Prior stories in the SF Chronicle stated every communication channel from cellphone, radio, landline telephones, etc. is "received" by the NSA.
Claims made for the Echelon system boggle my mind, but knowing what I was doing in the 1960s at the GTE Electronic Defense Labs (Mountain View CA), I cannot dismiss those claims outright. I'm no longer in "that business" so I'm unaware of what's really possible today and I cannot discuss what I did "back then".
SORM has a dual meaning. SORM became Russian law in 1996 to monitor ALL telecommunications (phones, FAX, etc.) within Russia. SORM-2, in
1998, added the Internet. An ex-Russian military officer at a client site circa 2005 informed me SORM-IV was the hardware equivalent to the NSA's Echelon and ostensibly operates also outside the confines of Russia (as Echelon also (primarily?) operates outside the confines of the USA).
Some background for Echelon, SORM, Carnivore, etc. can be read here:
New KGB Takes Internet by SORM
SORM - Russia's Big Brother
Russian FAPSI wants lines to tap all (in English)
SORM Acceptance Report (in English)
Back to Echelon (which monitors phones, Internet, FAX, all radio transmissions, and even has 100m (~300 foot) dishes in geosynchronous Earth orbit (which I presume is the "Clarke Belt" that Bill, our moderator references) to pick up some of the radio and microwave traffic (in addition to what the NRO (National Reconnaissance Office ) does)), I found these article URLs in my archives and they're all still active and good:
Privacy Concerns Grow Along With Electronic Communication
Europe Accuses U.S. Of Economic Spying
Spy in the Gray Flannel Suit
Pals shouldn't spy
France Opens Inquiry Into American Surveillance Network
EU group denounces U.S. Spying
Tech pros and cons revealed
EU says 5 members' offices bugged
Spying on U.N. chief provokes only yawns
A Sept. 10 State of Mind
"1984" took a bit longer to arrive than originally predicted. :-)
A number of years back a client of mine was taken over by another company. As I didn't trust the new IT department I installed OpenVPN on my laptop and my email server so they couldn't snoop on any emails. This has worked quite well for me. However this only ensures no one can snoop on emails between my email server and my laptop. And very few people run their own web and mail servers.
We should really be using S/MIME encryption to encrypt the emails for the entire connection from your computer to my computer so the NSA, CSIS (Canada's version of the NSA and CIA), etc, can't snoop.. (Hows that for few acronyms guaranteed to set off a few low level flags.)
formatting link
You can use the Thawte Web of Trust
formatting link
to get yourself a free email certificate.
Programs such as Outlook Express/Windows Mail and Outlook do support S/MIME quite nicely.
(Regretfully the email software I've been using since 1995, Eudora, has *lousy* support for S/MIME. Apparently this is a fundamental architecture problem and Eudora is no longer being upgraded. If I do need/want to start using S/MIME I'll likely be using a dedicated email address just for those emails and use Outlook. .Apparently Thunderbird is somehow being "upgraded"/"sideways changed" to beocme more like Eudora but I haven't checked on that lately.)
I'd also like to see a lot more corporations using S/MIME encryption on their emails as it's possible, for example, folks at your upstream provider could be snooping on emails.
Now as to how S/MIME would work in a web browser for those who use Hotmail and Gmail? I think Gmail now allows you to choose to always use a https or secured connection if desired. That won't help if you're feeling particularly paranoid about the NSA and the like but will help ensure that the folks at the coffee shop aren't snooping.
The solution I use is GPG (GNU Privacy Guard), somewhat akin to PGP as was mentioned at several of the URLs I cited in the earlier article. It integrates well with many common email clients (e.g., Thunderbird, et al) and is what I insist people use if they need to send me passwords, and it provides choices as to the depth/style of encryption.
secure data connections over the phone line, with later models incorporating Motorola's MC6859 DES chip. First/earlier models required using an external modem, later/final models incorporated a builtin modem, initially modules from Cermetek (IIRC) and later the Telebit module for higher speeds.
There's a funny story about that MC6859 chip. Upon arriving (late) one day at my office, I found a two foot high stack of documentation and several tubes of sample chips, including the MC6859, left earlier by the Motorola rep.
Atop the pile of documentation was a black bordered, sternly worded "NOTICE" stating (paraphrased) "Products incorporating this chip may not be exported from the USA without prior approval from the Office of Munitions Control of the US Department of State blah blah blah".
When examining the pretty purple-colored ceramic MC6859 chips with gold legs, I turned one over and, WHOA!, emblazoned on its underside was "MALAYSIA".
So much for the technology never leaving the country. :-)
***** Moderator's Note *****
This thread reminds me of the debate about the "Clipper Chip", which was a governemnt-backed program that would have mandated that any encryption device include the capability for the government to decode the data which was encrypted.
RSA Security and other commercial firms opposed the program, and it was never implemented. However, any widespread use of encryption will revive the debate: the methods aren't important, but the central question is "Should Uncle Sam be entitled to listen in on my calls or read my emails"?
I'm another diehard Eudora fan. I'm using Eudora's TLS capability to encrypt the traffic between Eudora and my mail server. Is this less secure or desirable than S/MIME? I don't know squat about S/MIME. From a few seconds of Googling, it looks like it provides signature verification capability, which isn't included in TLS. But if you're just interested in protecting your email from prying eyes on the net, signatures aren't really necessary.
****** Moderator's Note *****
The advantage of S/MIME or PGP is that they are End-To-End encryption methods. TLS, OTOH, is only secure up to the server, and the emails are stored in plaintext inside the machine.
I had almost forgotten the Clipper. Good riddance. I seem to remember that "requirement" sparked rumors that Microsoft also has/had been "requested" to provide back doors in their OSs for government use.
For those following this thread, it's a given that government already is eavesdropping on telephone, radio, email, etc. (ref. Echelon, SORM, Carnivore, and similar).
Just speculating here, apparently such government systems "trigger" on key words, phrases, end points, and "abnormalities" (such as encryption for voice and data).
As mentioned at prior-cited URLs regarding Echelon, the loophole in present law is that "non-USA entities" are freely allowed to monitor intra-USA communications, presently rendering moot whether Uncle Sam can monitor (or not) its citizen's voice and data communications. The "non-USA entities" includes the USA's Echelon partners (UK, Canada, Australia and New Zealand).
For an interesting trip down memory lane, I highly recommend Steven Levy's book "Crypto". I took it off my bookshelf a few weeks ago and was surprised at how much I had forgotten.
Among other things, it has the history of how RSA came to be, Dorothy Denning's support of Clipper and key escrow, Donn Parker, and even a bit on Robert Morris, Sr. You may recall his son from a slightly more infamous incident.
***** Moderator's Note *****
Cliff Stoll included some anecdotes about Morris in his book "The Cuckoo's Egg". IIRC, one of his later books included an appendix about the Morris Worm and how amazed _everybody_ in the business was that it had succeeded so well and so quickly. The Unix world lost a lot of its innocense on that day.
As a citizen in a country with numerous US military/surveillance installations, I still remember the laughter quite a few years ago when our government "negotiated" access to some of the collected information as part of a deal to keep housing the bases when their leases were expiring.
The laughter was our government trying to assure people that the info we would get access to was of any worth rather than some sort of token gesture to keep justifying the presence of foreign bases to the local electorate - and we all had a good chuckle because no one at all took the agreement seriously.
Even when it was pointed out that each and every US base on Australian soil most likely has its own Russian nuclear missile pointed at it, most people seem to think that is an acceptable situation.
I'd forgotten about TLS. Indeed I'm using it on one of my email accounts on a US based email server that I don't control. Hehehehe
S/MIME can provide signature/envelope verification but also provides encryption. Assuming that both parties to the email have previous exchanged emails with their pubilc keys attached.
Correct. But then you know someone hasn't inserted or deleted anything in the email.
Correct. Especially if you replace the last word machine with server.
Your last sentence brings back memories of the spine-chilling situation here in Silicon Valley.
At the intersection of two major freeways, US-101 and Calif. Hwy 237, was the absolute number 1 military target of the former USSR: the Air Force's "Satellite Test Center" aka The Blue Cube aka Onizuka Air Force Station.
It was the primary control center of all USA's spy satellites (and just 4 miles from my home) flanking what was Moffett Field Naval Air Station and, then Lockheed Missiles and Space Company, now Lockheed-Martin.
Every year for decades the San Jose Mercury News featured a several-page layout showing the extent of blast damage to Silicon Valley and environs from an air-blast thermonuclear weapon. And that, too, was supposedly deemed an acceptable situation. NOT.
I believe we should end this thread -- we're getting way off the topic of telephony and I appreciate the moderator's (Bill's) tolerance to date.
***** Moderator's Note *****
Ah, but it wouldn't be summer without a little nostalgia. However, you're right, it's time for the thread to end.
Smacking self in head. DUH! If I'd thought about it for a few seconds, I would have remembered that.
It doesn't really matter in my case, since I don't correspond with anybody else who cares enough about privacy to use encryption. So TLS encryption between my client and server is the best I can get anyway. But yeah, if both ends care enough about security to want an end-to-end solution, TLS ain't gonna do it.
An incorrect characterization of Clipper. The mandate would have been to require the use of the _government-sanctioned_ hardware for all encryption, _without_ the ability to independently audit/verify the quality (aka 'strength') of the algorithms. (A classical "trust us, we're the government" approach.) Said government-sanctioned device _did_ have an officially acknowledged back- door, which would have allowed the gov't to decode anything encrypted with the SkipJack algorithm ("Clipper" was the hardware implementing SkipJack).
Sorry, that's revisionist history. "Clipper" _was_ implemented. It was a hardware-based implementation of "SkipJack" (a government developed encryption algorithm). The idea being that the government develops this 'unbreakable' (that is, except for the official 'back door' entry) algorithm, provides a black-box hardware implementation to anyone 'for cheap', and becomes the single-source supplier for legal encryption.
Nearly 30,000 were delivered to DOJ and DOD, by Q2 1994) Including production runs of the 'Fortezza' security card.
Unfortunately, the Clipper algorithm was 'fatally flawed'. There was an 'official' back-door into the encryption, to allow properly-authorized law-enforcement types to read message text -without- needing the encryption key,
*BUT* by feeding appropriate 'maliciously constructed' data to the "black box" that was the clipper hardware, one could render that back door useless. In addition, there was another 'failure mode' in the protocol which made it 'computationally _feasible_' to extract the original message from encrypted traffic.
I was present when Dr. Matt Blaze, of AT&T Bell Labs, made the original public presentation of his findings on the above, in June, 1994. For the gory details of the flaws, see:
It didn't take long for others to verify his research. The gov't then engaged in a large-scale effort to 'fix' the discovered deficiencies, but that turned out not to be practical -- without a complete revamp of the entire architecture.
Since the 'back door' could be 'boarded up', as it were -- and thus rendered 'unusable' to law-enforcement -- the political backing for the government- created methodology evaporated. The fact that it was 'breakable' with a "reasonable" amount of computing effort -- when an 'unconventional' attack was employed -- meant that -nobody- would voluntarily trust anything sensitive to it.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.