Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on FCC not Schizo at all

From: David Farber <dave () farber net>
Date: Wed, 10 Aug 2005 06:10:04 -0400


Begin forwarded message:

From: Bill Stewart <bill.stewart () pobox com>
Date: August 9, 2005 11:26:54 AM EDT
To: declan () well com
Cc: hugh () hughcrawford com
Subject: RE: [IP] FCC not Schizo at all
Hugh Crawford's disagreement with Declan misses a critical technical distinction, and the services, particularly Skype, are moving in more tappable directions. Most modern VOIP protocols use two separate kinds of connections - a signalling connection to set up the call, and a media connection between the callers.
But any of the centralized services that connect to the public telephone network, like Vonage and AT&T CallVantage and possibly SkypeIn/SkypeOut, have a hook into the regulated infrastructure where wiretapping can happen. For an outbound only service, the trunk to the PSTN is normally shared, so a given caller's call might show up on any random channel, and eavesdropping is easier if the service provider can be bullied into identifying which targeted caller is on which channel, or which caller is calling a targeted callee, and it's similar to the problem of eavesdropping on a PBX or hotel phone system. Depending on how the network handles CallerID, it may even be easy to get from the trunk signalling. It's possible to design a decentralized system that uses PBXs or individual phones to deliver calls to the local telco providers (at least for outbound calls), and that would be much harder to wiretap.
With the original Skype service, the non-US-based company sells the software, and the signalling is mostly done by peer-to-peer networks, but with most other VOIP protocols, the signalling happens at some server that may or may not be under the jurisdiction of some regulator (in the case of SIP, the protocols support proxies and hierarchy, so you may have a PBX-like signalling server talking to a carrier.)
In the purely-IP world, if the media channel is encrypted, it's hard to eavesdrop on it directly, but the fans of wiretapping are sure to decide that the signalling channel is similar to old-style pen- register traces, and the accounting (if any) is similar to phone company accounting, and therefore they'll try to get access to that information at any regulatable provider the way they do with phone records today, possibly without the niceties of full wiretap warrants. Also, when the signalling server can be bullied into cooperating, a wiretap is not much different from a three-way conference call, and it gets around the problems of encrypted media channels (though that can usually be done by having the signalling server tell the endpoints to set up the call unencrypted and using ISP wiretaps.) Those attacks are much easier when the servers are managed by a regulatable carrier - it's not possible to tell non-US software companies to build in backdoors, and it's hard to get PBXs to cooperate in wiretapping, not only because they're not regulated, but because they're often managed by one of the targets of the wiretap so you can't do it without them noticing.
By the way, too many of the big SIP controllers on the market don't usually enable media-channel encryption, especially for calls to carrier-provided PSTN gateways. It's very frustrating. 

                        Bill Stewart




-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: