more on using phone cards for secure communications

[David Farber <dave () farber net>]

Begin forwarded message:

From: Brad Templeton <btm () templetons com>
Date: August 4, 2006 2:14:31 PM EDT
To: David Farber <dave () farber net>
Cc: ip () v2 listbox com
Subject: Re: [IP] more on using phone cards for secure communications

On Fri, Aug 04, 2006 at 01:44:46PM -0400, David Farber wrote:
> Needless to say, phone cards should be purchased with cash, never more
> than one
> at a time, never twice in the same store, and preferably not under the
> gaze of
> a camera.
>
> It is too bad we need such tradecraft to keep our freedom.


Many of your pure-VoIP alternatives are also subject to at least traffic
analysis, so they can tap the IP addresses of the people you talked
to if they have a wiretap on your line, or theirs.  However, to the
best of my knowledge, nobody not already doing a wiretap keeps logs
of these associations, so they can't go back into the past and get
your "records."   It would be a pretty impressive job to keep records,
especially if applications start switching what ports they run on,
but it's not out of the question that future record keeping laws
might demand ISPs to log unique target/destinations on SIP packets,
for example.

One thing Skype provides that is very interesting is its use of
supernodes.  If Skype can't find a direct path for voice packets
using the UDP, it "recruits" an unwitting Skype user who is on
the external internet to be a bridge.  Your traffic goes through
the bridge, encrypted.   As such, somebody intercepting those
packets, except at the bridge, would not be able to know who you
were talking to.   (I suspect the reason Skype made encryption
standard was about 10% for promotion of user privacy, 40% for
keeping their protocol proprietary and 50% because they would
have gotten into big trouble if the supernodes were able to
listen in on conversations and start putting juicy ones up on
the web.)

However, other things might catch you out, including your
query on the user's Skype ID into the network, possible
attempts to connect directly with the other user before
realizing you must use a supernode, the presence of taps
at both ends (less likely), hidden windows in the Skype
security, and finally, the fact that your Skype client
records a history on your own machine of your calls
with everybody, which could be taken with a warrant or
subpoena -- though press might have some protection in
the latter case.   Note that most computerized phone
tools keep phone logs for you, as that is what most
users want.   However, it's better to have logs on your own
machine under your control than at a 3rd party's servers.

(Note that many people who may think they are behind a
NAT will not use supernodes.  This occurs only when both
parties are behind a highly enforced NAT or firewall.  The vast majority
of NATs can be penetrated with a number of techniques.
Many modern ones also support the uPNP protocol for explicit
opening by clients. )

You can use Skype or other applications from internet cafes, or
while some would consider it questionable, from open wireless
networks where you don't have such explicit permission.
Traffic anlalysis on this is not very fruitful, again unless
you keep using the same one all the time.   However, once
again you're a big step over the phone system (and VoIP
phone interconnects like Vonage) because nobody but you is
keeping records for now.


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/