How the Greek cellphone network was tapped.

Leichter, Jerry leichter_jerrold at emc.com
Tue Jul 17 13:11:41 EDT 2007 

| >Between encrypted VOIP over WIFI and eventually over broadband cell -
| >keeping people from running voice over their broadband connections is
| >a battle the telco's can't win in the long run - and just plain
| >encrypted cell phone calls, I think in a couple of years anyone who
| >wants secure phone connections will have them.
| 
| I think you're looking at this a bit wrong.  I rememeber the same
| opinion as the above being expressed on the brew-a-stu list about
| fifteen years ago, and no doubt some other list will carry it in
| another fifteen years time, with nothing else having changed.  Anyone
| who wants secure voice connections (governments/military and a
| vanishingly small number of hardcore geeks) already have them, and
| have had them for years.  Everyone else just doesn't care, and
| probably never will.  This is why every single encrypted-phones-for-
| the-masses project has failed in the market.  People don't see phone
| eavesdropping as a threat, and therefore any product that has a
| nonzero price difference or nonzero usability difference over an
| unencrypted one will fail.  This is why the only successful encrypted
| phone to date has been Skype, because the crypto comes for free.
| 
| I once had a chat with someone who was responsible for indoctrinating
| the newbies that turn up in government after each election into things
| like phone security practices.  He told me that after a full day of
| drilling it into them (well, alongside a lot of other stuff from other
| departments) it sometimes took them as long as a week before they were
| back to loudly discussing sensitive information on a cellphone in the
| middle of a crowded restaurant.
| 
| So in terms of secure voice communications, the military and geeks are
| already well served, and everyone else doesn't care.  Next, please.
I won't disagree with you here.  Most people don't perceive voice
monitoring as a threat to them - and if you're talking about monitoring
by many governments and by business intelligence snoopers, they are
perfectly correct.  (I say "many governments" because those governments
that actively monitor and control large portions of their citizenry
hardly make a secret of that fact, and citizens of those countries
just assume they might be overheard and act accordingly.  The citizens
of, for lack of a better general phrase, the Western democracies, are
quite right in their assessment that their governments really don't care
about what they are saying on the phone, unless they are part of a very
small subpopulation involved, whether legitimately or otherwise, in
politics or intelligence or a couple of other pretty well understood
areas.)

Selling protection against voice snooping to most people under current
circumstances is like selling flood insurance to people living in the
desert.  If you're an insurance hacker - like a security hacker - you
can point out that flash floods *can* happen, but if they are so rare
that no one is likely to be affected in their lifetime, your sales
pitch *should* fail.

What will change things is not the technology but the perception of a
threat.  Forty years ago, the perceived threat from airplane hijacking
was that it was non-existent, and no one would consider paying the cost.
Today, we play a very significant cost.  The threat is certainly
greater, but the *perceived* threat is orders of magnitude beyond even
that.

The moment the perceived threat from phone eavesdropping exceeds some
critical level, the market for solutions (good and, of course,
worthless) will materialize.  As you note, in the military and
intelligence community, the real and perceived threats have been there
for years.  And the crypto hackers will perceive a threat whether it
exists or not.

I'd guess that the next step will be in the business community.  All it
will take is one case where a deal is visibly lost because of "proven"
eavesdropping ("proven" in quotes because it's unlikely that there will
really be any proof - just a *perception* of a smoking gun - and in fact
it could well be that the trigger case will really be someone covering
his ass over a loss for entirely different reasons) and all of a sudden
there will be a demand for strong crypto on every Blackberry phone link.
Things have a way of spreading from there:  If the CEO's need this, then
maybe I need it, too.  If "it" is expensive or inconvenient, I may feel
the need, but I won't act on it.  But the CEO's will ensure that it
isn't inconvenient - they won't put up with anything that isn't
invisible to them - and technology will quickly drive down the cost.

							-- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list