Using SIP to defeat the NSA

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
I've been fiddling with SIP. It turns out there are a number of  
companies that will allow you to create an internet only account for  
free, with I presume the notion that you will eventually buy their  
service. You can just do an internet search on "free sip account" and  
they will turn up.

Now you can proxy your sip, though I'm not sure how much that does to  
protect your identity since you still have a SIP address or phone number.
Quoted text here. Click to load it

The Guardian has some info on GSM security:
Quoted text here. Click to load it

It seems to me the cellular provider can eventually start to add jitter  
to the data service to stop people from using sip over their phones.

Here are some test numbers:
Quoted text here. Click to load it

If you want to experiment with SIP, I'd suggest doing it from a PC first  
since those apps are more mature. Twinkle is a good app on Linux. It  
even handles multiple calls.

The sip cell phone apps give you the option of using wifi or the  
cellular network.


Re: Using SIP to defeat the NSA

Quoted text here. Click to load it

Yep.  All they do is add your machine to their directory lookup
database.  For example, dialing your-fake-phone-number@example.com
will cause the example.com server to lookup where to find the fake
phone number and return its ip address and SIP phone port number.  You
provide those numbers dynamically when you login to their system with
a login and password.  Not exactly wonderful security, since all one
needs to know is your account number and who services the account.

Quoted text here. Click to load it

Exactly.  Hiding the SIP phone number and provider is like having an
unlisted phone number.  Eventually, it leaks out.

Quoted text here. Click to load it

As I previously mentioned, this is yet another cell phone encryption
system that uses the IP channel, and not the voice channel.

Quoted text here. Click to load it

Add jitter?  There's plenty there already.  Most jitter and packet
loss can be handled with a SIP jitter buffer.  Try testing the VoIP
jitter over a cell phone IP data channel:
<http://www.myconnectionserver.com/voip.html
Java required.


--  
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: Using SIP to defeat the NSA
On 9/16/2013 8:31 PM, Jeff Liebermann wrote:
Quoted text here. Click to load it
I think technically that would be JVM required, which isn't going to  
happen on any phone I own.

If I put the phone in hotspot mode and use wifi to connect to a linux  
notebook, is the jitter test still valid? Otherwise I could tether to a  
windows notebook, but would have to install the JVM.

Basically I try to keep the browser from using the JVM if I can, for  
obvious reasons. Apparently the JVM by itself isn't much of a security  
risk, but letting your browser use it is a problem.

There is SIP over TLS, That should be secure. I'm not sure how easy that  
is to do mobile.

Site Timeline