http://www.txtimpact.com
(sms gateway and mobile marketing solutions provider)

When a provider of phone call encryption software sell mainly to government like cellcrypt does, usually has to obey to their government customers.

What if a large government customers of cellcrypt ask them to place (or enable) a backdoor in their closed-source, proprietary encryption stuff because a small, private customer need to be intercepted by that government?

In a situation where the small private customer represent the 0.05% of gross sale of the company while the large government represent the 10% of the gross sale of the company, what the company will do?

Obey to the very large government customer causing a damage to the very small private customer or not?

The answer it's up intelligent person to identify the right answer.

I think that conflict of interest in encryption products must be avoided and the transparency must be enforced by the use of opensource and open standards.

See ZRTP http://en.wikipedia.org/wiki/ZRTP .

When a provider of phone call encryption software sell mainly to government like cellcrypt does, usually has to obey to their government customers.

What if a large government customers of cellcrypt ask them to place (or enable) a backdoor in their closed-source, proprietary encryption stuff because a small, private customer need to be intercepted by that government?

In a situation where the small private customer represent the 0.05% of gross sale of the company while the large government represent the 10% of the gross sale of the company, what the company will do?

Obey to the very large government customer causing a damage to the very small private customer or not?

The answer it's up intelligent person to identify the right answer.

I think that conflict of interest in encryption products must be avoided and the transparency must be enforced by the use of opensource and open standards.

See ZRTP http://en.wikipedia.org/wiki/ZRTP .

http://www.mobileindustryreview.com/2008/05/cel…

our press release of earlier today does look like we're jumping on the bandwagon. It just took a while to get all parties to write their bits.

Give Peter Cox a cal for the nitty gritty – or let's have a chat about the need to use VoIP as the way to really move forward,

cheers
Andrew Bowen
079 2000 1122

- – -

UM Labs and Phil Zimmerman in exclusive agreement to deliver ZRTP security and encryption for voice calls on fixed and mobile networks.

London, UK – July 13th 2009 – UM Labs Ltd, Phil Zimmermann and UM Labs have signed an exclusive agreement that confirms UM Labs as the sole supplier of gateway implementations of ZRTP.

UM Labs can now strengthen their VoIP security gateways and extended encrypted voice capability into the mobile/cell-phone. Incorporating ZRTP encryption enables secure calls between corporate VoIP networks, cell-phones and VoIP end-points on fixed line networks. ZRTP has been designed by Phil Zimmermann (creator of PGP email) to provide encryption for audio and video calls on VoIP networks.

ZRTP differs from other encryption protocols by using the media channel to set up the encryption keys needed to secure a call – this means true end-to-end security separated from the intermediate signalling parties. Other protocols use the signalling stream which has the disadvantage that the keys will be visible to intermediate devices that must process the signalling stream for call routing. ZRTP’s use of the media path for key agreement provides end-to-end security and ensures that media keys are not visible to any intermediate signalling device. This makes ZRTP an ideal choice for use on networks where VoIP signalling is processed by the network operator and where it is important to ensure call confidentiality.

ZRTP’s design has made it a popular choice for use on cellular networks; ZRTP capable VoIP clients are available for a wide range of cell phones.

UM Labs offer a gateway implementation of ZRTP on their entire SIP Security Controller product range. A UM Labs SIP Security Controller installed at the network perimeter enables any ZRTP capable phone, connected to a fixed or mobile network, to make a secure call directly into the corporate VoIP network. The end-to-end encryption provided by ZRTP ensures that calls are protected between the user’s phone and the corporate network. The high grade of encryption used means that secure calls can be made in confidence, regardless of the caller’s location.
Peter Cox, CEO of UM Labs commented: “VoIP technology is now in widespread use to provide links to corporate phone systems from remote workers, roaming users and business partners. By providing ZRTP across our entire product range, we are able to ensure that all remote VoIP connections are protected with high grade security. ZRTP means that we can provide encrypted VoIP connections to devices on mobile networks, as well to those on fixed line networks and on WiFi connections.

Phil Zimmermann commented: “The partnership with UM Labs extends the reach of ZRTP and enables ZRTP users to communicate securely with users linked to any commercial VoIP system. This effectively brings the major PBX vendors, including Avaya, Cisco, Nortel and many others into the ZRTP community.”

- – -

About UM Labs Ltd

UM Labs delivers a range of application level security gateways for VoIP and Unified Messaging. These gateways are designed to provide security controls targeted at the range of threats that affect VoIP and UM applications, exceeding the capabilities of standard Firewalls. UM Labs product range also provides a realistic and cost effective alternative to Session Border Controllers (SBC).
UM Labs founders include Peter Cox, formerly co-founder of Internet Security Specialist Borderware Technologies. While at Borderware, Peter contributed to the design of the Borderware Firewall Server, one of the first commercial Firewall products and to the company’s MXtreme product, an application level security gateway for email. Peter was also responsible for the project, which gained a total of 3 Common Criteria EAL4+ certifications for Borderware’s products.
For the past two years, Peter has focused on researching VoIP security issues and has written a number of white papers including a survey of the threats facing VoIP applications and a discussion on the ability of standard firewalls to address each of these threats.
For more information, please visit our website, http://www.um-labs.com/

About Phil Zimmermann

Philip R. Zimmermann is the creator of Pretty Good Privacy, an email encryption software package. Originally designed as a human rights tool, PGP was published for free on the Internet in 1991. This made Zimmermann the target of a three-year criminal investigation, because the government held that US export restrictions for cryptographic software were violated when PGP spread worldwide. Despite the lack of funding, the lack of any paid staff, the lack of a company to stand behind it, and despite government persecution, PGP nonetheless became the most widely used email encryption software in the world. After the government dropped its case in early 1996, Zimmermann founded PGP Inc. That company was acquired by Network Associates Inc (NAI) in December 1997, where he stayed on for three years as Senior Fellow. In August 2002 PGP was acquired from NAI by a new company called PGP Corporation where Zimmermann now serves as special advisor and consultant. Zimmermann currently is consulting for a number of companies and industry organizations on matters cryptographic, and is also a Fellow at the Stanford Law School's Center for Internet and Society. He was a principal designer of the cryptographic key agreement protocol for the Wireless USB standard. His latest project is Zfone, which provides secure telephony for the Internet.
For more information, please visit Phil’s web site, http://philzimmermann.com/

- – -

As I said in the article there appears to be a lot of sensationalism in the press. Whilst it is theoretically possible to 'eavesdrop' on the radio leg of a mobile call, it's not the easiest thing in the world. As you say it's much easier to get into voicemail boxes of people who have been stupid enough not to set a PIN – which seems to be more likely the case in the NoTW saga.

I don't think much more has been released over the exact nature of the 'taps' – and we might never know the whole truth. If – and this is a big if (and of course theoretical in nature) there was involvement of employees on the mobile operator side of things, or it was a real world example of GSM encryption being broken, I'm sure the operators and the GSM Association would, quite understandably, be busy with lawyers and PR people trying to stop such information getting into the public domain.

I thought that the News of the Screws had managed to get Private Investigators to break into voicemail rather than tap calls. I had understood that the hack involved stupid people not putting a PIN on their Mailbox.

Is there anything else we know about the means of entry and advice for us who try not to be stupid?

Steve