How the Greek cellphone network was tapped.

Steven M. Bellovin smb at cs.columbia.edu
Thu Jul 19 10:10:35 EDT 2007


On Tue, 17 Jul 2007 13:11:41 -0400 (EDT)
"Leichter, Jerry" <leichter_jerrold at emc.com> wrote:

> 
> I'd guess that the next step will be in the business community.  All
> it will take is one case where a deal is visibly lost because of
> "proven" eavesdropping ("proven" in quotes because it's unlikely that
> there will really be any proof - just a *perception* of a smoking gun
> - and in fact it could well be that the trigger case will really be
> someone covering his ass over a loss for entirely different reasons)
> and all of a sudden there will be a demand for strong crypto on every
> Blackberry phone link. Things have a way of spreading from there:  If
> the CEO's need this, then maybe I need it, too.  If "it" is expensive
> or inconvenient, I may feel the need, but I won't act on it.  But the
> CEO's will ensure that it isn't inconvenient - they won't put up with
> anything that isn't invisible to them - and technology will quickly
> drive down the cost.

You're an optimist.  There was the Israeli case of the tailored virus.
I haven't noticed any rush to get rid of insecure operating systems,
mailers, and word processors.  Or have a look at
http://fe24.news.re3.yahoo.com/s/nm/20070717/tc_nm/internet_attack_dc
and ask if that will do it.  (Department of Transportation?  Department
of Defenses, more likely, from that list of businesses...)  Today's
Wall Street Journal reported on "new" threats from ads on the Internet,
and loudly worried why ad companies and web sites weren't doing more to
filter their offerings.  But an ad is just web content, which means
that the real problem is the web browser and host OS.  Will that prompt
a switch?

We're talking about phone calls -- did all of the well-publicized
cellular eavesdropping (Prince Charles, Newt Gingrich (then a major US
politician), and more) prompt a change?  Well, there are now US laws
against that sort of phone eavesdropping gear -- a big help....

Want another example?  How many US corporations have major operations
in China?  What are the odds that the Chinese government is listening
in?  If you're uncertain, see (a) the posting on this list a few days
ago about the landing declaration about communications security devices
and yesterday's news story about email problems to China because of
apparent problems with the Great Firewall
(http://www.cnn.com/2007/TECH/07/18/china.email.reut/index.html).  None
of his seems to have affected business there.  (Nor are corporations
unaware of this; I was advising people on this close to 20 years ago.)

I agree that it will take a trigger.  I don't know what that trigger
will be, but it won't be something as simple as a proven case.  It's
hard to predict what will get enough people upset; sometimes, it's
nothing at all.  (Remember the Pentium serial number case?  Objectively,
that was a complete non-issue, but enough people got upset about it
that Intel had to back off.)

It will also have to be dead simple.  It can't happen on the POTS
network, because modem handshaking takes too long.  It can't happen on
conventional cellular unless the voice is traveling over a
clear-channel end-to-end data connection, not something that the
carrier's equipment "knows" is voice.  (There's also the question of
phone CPU access to the voice channel, per Bill Stewart's post.)  It
could happen for VoIP if done properly, as others have pointed out.  It
has to be easy to use, which means that things like PKIs are, shall we
say, obstacles.


		--Steve Bellovin, http://www.cs.columbia.edu/~smb

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list