comms – PrivaSecTech Wed, 13 Nov 2019 18:33:32 +0000 en-US hourly 1 What communication systems can you trust? Mon, 05 Nov 2012 20:37:45 +0000 Continue reading What communication systems can you trust?]]> After reading my Everything you say is likely compromised post, my friend Ross Henton asked,

“is it your contention that no commercial security or privacy product has a valid trust model?”

The argument I was trying to make is that most people make calls with the assumption that they are private; however, the truth is that there are free tools one can get off the internet to intercept pretty much any communication that happens today. I was simply trying to raise awareness.

This is especially important as we move into an age of surveillance. You likely don’t want a foreign state actor listening to your communications, or likely even your own government. Obama passed the NDAA, and in Canada Bill C-30 is on the table, allowing these governments to spy on their own people, without warrants. No matter what technology you’re using, it’s likely now that your neighbour can listen to you as well.

As any communication is open to interception, the bare minimum to prevent being eavesdropped upon is to encrypt communication; the challenge is that implementing strong encryption well is not trivial. As such, the minimum standard for trusting any communications has to be that the source code is open source, which would allow any cryptoanalyst to review the code and verify it’s not backdoored and that the encryption has been implemented correctly. So this is what I’m claiming is a minimum standard.

Before we discuss what the default standard should be, think about what communication systems you can trust? Is there a valid trust model that can be implemented with today’s technology, that a civilian with access to the internet couldn’t compromise?

Everything you say is likely compromised Mon, 05 Nov 2012 09:24:04 +0000 Continue reading Everything you say is likely compromised]]> Ever since the early days of 2600, people have been learning what it takes to compromise voice conversations.

Starting with your standard telephone (POTS) line, one can still beige box you with cheap or free used gear.

Analog cell phones have always been easy to listen to, with any non-American frequency scanner. In Canada, it is legal to listen to these.

Modern digital cellular phones use GSM encryption, which can now be compromised with sufficient resources.

Skype, has a history of issues, and even without them trivially provides “security investigators” with personally identifiable information.

Most VoIP (SIP) traffic can easily be captured with a packet sniffer.

If you want your voice conversations to not be trivially compromised, it requires encrypted (preferably open source, to verify it’s been implemented correctly) solutions. Currently the only free solutions are zrtp (for SIP) or red phone (for Android). If you know of any other solutions, or if either of these have been compromised, please let me know (kris@ this domain) and I’ll update this post.

It’s important to note this is just regarding the communications protocol; security is like a river, a compromise is usually done on the path of least resistance, so if your physical location or surrounding hardware or software is compromised, so is your next conversation.