You know what's coming next
Some half-arsed legislation making it illegal to connect a GSM terminal to any device with a storage space larger than 200 GiB or something.
Cryptographers have devised a low-cost way to intercept phone calls and text messages sent over the majority of the world's mobile networks. The attack, which requires four $15 Motorola handsets, a medium-end computer and a 2TB hard drive, was demonstrated last week at the 27th annual Chaos Communication Congress in Berlin. It …
If network operators can't be relied upon to upgrade their systems, users will have to employ 'add-on' security via software or hardware accessories to maintain their privacy - which at least make the ever intrusive governments work for their money.
When the networks do eventually upgrade it will be the end of all the drive-by intelligence gathering activity that presently well-endowed snoopers currently do - with or without court permission.
Of course little of increased security will faze the U.S. NSA or the FBI as all cell systems in the U.S., and elsewhere in some countries, have to be CALEA-compliant so the FBI surveillance system, called DCSNet, for Digital Collection System Network, a suite of software that collects, sifts and stores phone numbers, phone calls and text messages, basically a comprehensive wire-tap system that intercepts wire-line phones, cellular phones, SMS and push-to-talk systems . The system directly connects FBI wire-tapping outposts around the country to a far-reaching private communications network.
Unaffected will also be the DCS-6000, known as Digital Storm, captures and collects the content of phone calls and text messages for full wire-tap orders.
Neither 'do' Skype!
Android users already have software options. It's always good to separate the encoding devices from a handset so you can be assured there are no 'bypass' circuits leaking unencrypted messages.
I assure you I didn't give you a thumb down. I in fact wrote a comprehensive answer that was rejected by the powers that Bee, probably because it was rambling and off topic. My summary, hoping it won't be rejected this time:
I don't claim to be a grammar pedant (although this icon seemed most appropriate). I view these comments as a form of speech rather than strict prose. Hence in this case, the two question marks suggest the ellipsis of "doesn't it", and "n'est-ce pas", respectively.
Obligatory on-topic note (in the hope of an accepted comment): this rainbow table problem should be a lesson to anyone implementing device encryption. Extrapolate the size of RT needed for majority decryption, and using Moore's law extrapolate how much storage is likely to be easily available at the "end of life" of the product. Now triple the predicted life of said product, and then triple the predicted storage and do it again. If your table is still orders of magnitude too big, then you might just be okay.
See p22 of the presentation PDF: passive interception of data is currently not possible.
I'm only surprised this 25 year old technology has survived this long. Certainly the operators should have been preparing for this since the proof of concept 12 months ago. As Bruce Schneier is fond of pointing out, crypto attacks always get better, never worse.
Any standard that aims to provide security through encryption should have a built in obsolescence clause. Without a move to something like quantum crypto all approaches are going to be susceptible to attacked. Since the attacks will always improve (they can build on previous attacks) and the available supply of computing power will continue increase. All these systems will have a sell by date. The standards should be written to accept this. That way the standards setting people stand a chance of being ahead of the game. At least we'll have a good honest race between the developers and the crackers. The current approach of write once and use for ever is doomed to failure.
Surely the phone and equipment manufactures would love this, it builds a refresh cycle into the product definition and it wouldn't even be there fault.
Of course it would piss off many customers, who think a phone is just a phone, not the latest piece of status jewellery.
This is done by sniffing traffic using modified (by replacing the firmware) handsets and a rainbow table to break the encryption.
I can see us very soon being in a position similar to TACS/AMPS where people were cloning phones (and running up huge bills) by sniffing the ID info off air and also listening in to 'private' conversations (older readers can search for 'squidgygate'). Operators should be whitelisting their HLRs and (preferably) moving to a more secure encryption system.
Biting the hand that feeds IT © 1998–2019