Breaking Phone-Call Encryption

A data compression scheme could leave Internet phone calls vulnerable to eavesdroppers.

A technique for saving bandwidth in Internet phone calls could undermine their security, according to research recently presented at the IEEE Symposium on Security and Privacy. Johns Hopkins University researchers showed that, in encrypted phone calls using a certain combination of technologies, preselected phrases can be spotted up to 50 percent of the time on average, and up to 90 percent of the time under optimal conditions.
Voice-over-Internet-protocol (VoIP) phone calls, in which a computer converts a voice signal into data packets and sends them over the Internet, are increasingly popular for personal and business communication. Although most VoIP systems don't yet use encryption, says Jason Ostrom, director of the VoIP-exploitation research lab at Sipera Systems, it's absolutely necessary, particularly for business users. In many cases, security measures aren't in place because companies haven't realized how vulnerable VoIP can be, he says. He cites an assessment that he did for a hotel that uses VoIP phones, in which he showed that an attacker could access and record guests' calls using a laptop plugged into a standard wall connection. The Johns Hopkins researchers hope that pointing out possible holes in voice encryption systems can help ensure their security when they become more commonplace.
The Johns Hopkins attack takes advantage of a compression technique called variable-bit-rate encoding, which is sometimes used to save bandwidth in VoIP calls, explains Charles Wright, lead author of the paper. (Wright, who recently received his PhD from Johns Hopkins, will join the technical staff at the MIT Lincoln Laboratory in August.) Variable-bit-rate encoding, Wright says, adjusts the size of data packets being sent over the Internet based on how much information they actually contain. For example, when the person on one end of a VoIP call is listening rather than speaking, the packets sent from that person's computer shrink significantly. Also, packets containing certain sounds, such as "s" or "f," can take up less space than those containing more-complex sounds, such as vowels.
Encrypting the packets after they've been compressed scrambles their contents, making them look like gibberish. But it doesn't change their size, which is what would give away information to potential eavesdroppers.
In their tests, the Hopkins researchers simulated the packets that a combination of compression and encryption would produce for particular phrases. While an example of the way that a targeted speaker pronounced a particular phrase would give eavesdroppers a big advantage, they could still simulate the phrase using a pronunciation dictionary and a database of sample sounds from multiple speakers. The researchers can create many versions of the sounds in the phrase, which lets them accommodate different accents and other variations in pronunciation. They then use probabilistic methods to look for likely instances of the phrase. Wright says that the method can identify the phrase, on average, about half the time that it occurs, and that about half of the phrases it flags turn out to be exact matches of the desired phrase. In some circumstances, as when the phrases are longer, or when the speakers are particularly well matched to the simulated versions of the phrase, the accuracy became as high as 90 percent, Wright says. Because eavesdroppers have to know what phrase they're listening for, Wright says, "the threat would be more to technical, professional jargon than to an informal call between friends or family members."

While 50 percent accuracy may not sound like much, "these are encrypted conversations, so your expectation is not to be able to do this at all," says Fabian Monrose, an associate professor of computer science at Johns Hopkins, who was also involved in the research.
Matt Bishop, a professor of computer science at the University of California, Davis, agrees. "Fifty percent is quite scary," he says, "because what it means is that, in essence, you could potentially understand a fair portion of the conversation. The whole purpose of encryption is to prevent understanding." He adds that the attack is made more realistic by its ability to simulate phrases from standard sample sounds, which would be easier for an attacker to obtain than speech samples from the person he or she wants to spy on.
Sipera Systems' Ostrom says that he found the research particularly interesting "because it shows that you shouldn't feel safe just because you're using a security control. You still have to validate it to ensure that it meets your requirements." He adds, "In VoIP, there's always a fight between quality of service and security." The researchers' attack is a good example, he says, because it explores how an effort to improve quality of service by reducing bandwidth usage can affect efforts to protect calls. However, Ostrom notes that most corporations aren't currently using variable-bit-rate encoding and wouldn't now be at risk.
Wright and Monrose say that they see their work as more of a cautionary tale. Monrose says that recently he has been seeing drafts of technical specifications that call for variable-bit-rate encoders. "Our gut reaction was, this has privacy implications that people have not well studied," he says. The researchers say that they hope their work will prevent people from making design decisions in isolation and encourage them to think about solutions that will increase both efficiency and security. "If we start combining tools the way a lot of the specifications are calling for," Monrose says, "then we need to make sure that we do it in the right way."

Laptop works better for movies than games

http://edition.cnn.com/2008/TECH/ptech/06/11/hp.pavilion/index.html

Externally the two laptops are identical, but the dv9700t includes a current Penryn processor, an upgraded graphics card, and a higher display resolution.
Also, the dv9500t's HD DVD drive has (out of necessity) been replaced by a Blu-ray drive in the dv9700t.
The landscape of laptops has also changed since we last examined the 17-inch Pavilion model.
However, the Pavilion dv9700t's primary advantage over the Gateway lies in its Blu-ray drive, HDMI connectivity, and massive hard drive capacity, all of which make it the superior machine for HD video.
In the end it comes down to your primary reason for buying an entertainment-oriented desktop replacement: if for gaming, choose the Gateway P-172X FX; if for watching high-definition movies, choose the HP Pavilion dv9700t.
The difference between the two systems was more dramatic on our Unreal Tournament test, where the gaming-oriented Gateway displayed nearly three times as many frames per second as the Pavilion dv9700t. The Pavilion dv9700t's frame rates, while acceptable, seem best suited for watching HD movies and playing casual games.
We hardly expect such a massive system to perform well on our battery tests. However, the Pavilion dv9700t lasted an impressive 2 hours, 36 minutes on our taxing DVD drain test. That battery life would be admirable on a smaller laptop and is downright impressive for a desktop replacement with such a large screen.

I also seem to enjoy movie better than game.

Microsoft now sponsor of Open Source Census

http://open.itworld.com/4925/microsoft-sponsors-open-source-census-080616/page_1.html

Sukgu's Comment - How can we interpret the attempt made by Microsoft? Is it an attempt to change their strategy from closed to open source that has enabled the company command much higher profit than average for a long time? I think this doesn't mean that they will change right now. However, it could be positive signal that they fianlly will change in the future. I don't know how long it will take. However, environmental changes surrounding the company will force them to change.


Microsoft has become a sponsor of The Open Source Census, a project started earlier this year that aims to track and catalog the use of open-source software in enterprises worldwide, the group announced Monday.

Former 'spam King' Must Pay MySpace $6 Million

A Colorado man has been ordered to pay US$6 million in damages and legal fees for spamming thousands of MySpace.com users.
Scott Richter of Westminster, Colorado, must pay MySpace $4.8 million in damages and $1.2 million in legal fees, a court-appointed arbitrator ruled on Thursday.
Richter, who was once accused of pumping out more than 100 million spam messages per day, had been sued by MySpace in January 2007 in connection with an August 2006 campaign in which MySpace members were hit with unsolicited messages promoting a Web site called Consumerpromotionscenter.com. The messages were sent from phished MySpace accounts, according to the findings of Philip Boesch, the court-appointed arbitrator in the case.
The messages were sent to a MySpace community that was ill-equipped to deal with any security problems. At the time, "MySpace only employed two relatively junior staff employees to deal with these issues," Boesch wrote. The company's security staff has now grown to about 40, he added.
MySpace had been seeking a court ruling in the case, but in August 2007, U.S. District Judge George King of the Central District of California granted Richter's request to assign the matter to arbitration. Terms of the award were made public on Monday.
In a statement, Richter said that he and his company, Media Breakaway, were happy to have this matter behind them, noting that the arbitrator's award was 95 percent less than the amount sought by MySpace.
"We respect the decision of the arbitrator and we're not going to appeal it," said Steven Richter, the president and general counsel of Media Breakaway and father of Scott Richter. "We're going to pay the money he awarded."
This is not the first time a Scott Richter company has had to cough up millions of dollars to fight spam charges. In 2005, his previous company, Optinrealbig.com, paid $7 million to settle similar charges brought by Microsoft.
Scott Richter was removed from anti-spam organization Spamhaus' list of known spammers that same year.
Media Breakaway, which has no other spam cases pending, is doing everything it can to build a compliance team and make sure it is acting within the law, Steven Richter said.
MySpace said the Richter award was the latest in a series of steps it has taken to combat abuse on its Web site. In May, the company was awarded a $230 million antispam judgment against Sanford Wallace and Walter Rines.
"This award reflects MySpace's continued momentum and holistic approach to ridding the site of spammers and phishers," MySpace said in a statement. "We will continue to do our part in cleansing the Internet of this invasive onslaught of spam."

Nokia launches new phones, vows to stay number one

Finnish telecom giant Nokia has launched two new email-capable handsets for business users and vowed to defend its position as the world's leading mobile phone maker.
Nokia said the E71 and E66 were pre-loaded with Microsoft's popular email programme and would cater to business professionals who wanted easy and instant access to their messages.
"With the E series, we want to serve people who are passionate about their work," said Chris Carr, Nokia's vice president for regional sales, at a launch in Singapore late Monday.
The two phones would be available in July and support email accounts from key Internet service providers such Yahoo! and Google's Gmail, the firm said.
It said there were an estimated 1.5 billion email users globally and that there were set to be four billion mobile users by the end of 2009.
"We have grown our share with the broadest portfolio of devices in the industry... Nokia remains the undisputed leader and it is a leadership mantle we will not relinquish," Carr said.
The business mobile sector is currently dominated by Canada's Research in Motion, maker of the BlackBerry smart phone combining a mobile phone and personal digital assistant (PDA).
The BlackBerry allows users to browse the Internet, use e-mail and make calls and has proven a big hit with business executives worldwide.
Apple is also taking aim at the corporate market with the launch of its touch-screen-activated 3G iPhone, which will come with faster Internet access and more features for business users than its initial iPhone.
South Korea's Samsung on Monday unveiled its latest smart phone, a touch-screen model to be commercially launched in Southeast Asia this week.
The Samsung and Nokia launches came on the eve of CommunicAsia. The event is billed as the region's leading information and communications technology conference and exhibition and began Tuesday in Singapore.

Cheap PC gadget for Internet calls selling well

What's the fastest-growing fixed-line phone company in the United States?
It's not Verizon Communications Inc. or AT&T Inc. — they're losing lines. What about cable company Comcast Corp., which is raking in subscribers for its phone service? Even that company is being beaten by a small Palm Beach, Fla., company called YMax Corp., judging by its own figures.
You may never have heard of YMax, but you may have noticed the TV ads for its product, the MagicJack, which works with a broadband connection.
It's about the size of a matchbox and plugs into a PC. After plugging a regular phone into the MagicJack, the user can make and receive calls much like using a regular landline.
In January, just after the broad advertising campaign started, YMax was selling a few hundred MagicJacks per day, said Jim Donlon, its chief marketing officer. Now, it's selling 8,000 to 9,000 per day, and the company is on track to have half a million subscribers by the end of June.
That's a meteoric trajectory in the phone business, propelled by the pricing: The MagicJack costs $39.95, including one year of free calls to the U.S. and Canada. Another year of service costs $19.95.
"It's extremely low-risk. Most people I know are willing to gamble on 40 bucks," said TeleGeography analyst Stephan Beckert, who follows voice-over-Internet providers.
Unlike most voice-over-Internet Protocol — or VoIP — providers, YMax is licensed as a phone company in the continental U.S. and operates a wide network of servers to carry its calls. VoIP providers generally outsource that side of the business.
Comcast, the fastest-growing cable voice provider, signed up a net average of 7,100 customers per day in the first quarter, ending with 5.1 million on March 31. Vonage Corp., the leading independent provider of VoIP that works with regular phones was averaging 334 per day, for a total of 2.6 million.
YMax's subscriber numbers are "significant," Beckert said, but he noted that its revenue is much lower than that of competing providers because it charges about as much for a year of service as its rivals do for a month. Even eBay Inc.'s Skype, which uses computers for calling, charges significantly more.
It's unclear what effect the MagicJack is having on competitors.
YMax Chief Executive Don Burns said many customers buy a MagicJack as a complement to a cell phone, compensating for poor cell coverage at home. When the computer is off, the service can be set to forward incoming calls to a cell phone.
Burns and inventor Dan Borislow founded the company, financing it largely themselves. They're telecom industry veterans — Borislow pioneered selling long-distance service to AOL subscribers in the 90s and Burns was the CEO of Telco Communications Group, which provided discount long-distance calls.
Burns says YMax's structure helps keeps cost low and call quality high. In the future, the company plans to sell advertising that shows up on the PC screen while calls are being placed. It would use its knowledge of the customer's location to display relevant ads.
Even so, Beckert is skeptical of the business model. Like YMax, Vonage has recruited customers by TV advertising for years. But Vonage has consistently lost money.
"I'm still not sure how you make money at $20 a year," Beckert.
MagicJack's next moves are to get on the shopping channel QVC and possibly expand sales beyond the Web and call centers.
"We have big-box retailers jumping at this," Donlon said.

Apple and Intel: Best buddies

http://bigtech.blogs.fortune.cnn.com/2008/06/13/apple-and-intel-best-buddies/

June 13, 2008, 8:00 am

Apple CEO Steve Jobs introduced the MacBook Air on stage at Macworld 2008. The laptop was born after Intel dug into its research pile to fulfill an unusual request from Apple. Photo: Jon Fortt


Click above for a video interview with Intel CTO Justin Rattner.
When Apple first announced the switch to Intel chips three years ago this month, Intel chief technology officer Justin Rattner didn’t expect a chummy research relationship, even though the Silicon Valley companies’ headquarters are just 15 minutes apart. Friends had warned him that Steve Jobs and his crew of iconoclasts have little patience for the futuristic stuff of research labs – they’re on the hunt for bold ideas they can build into products within months, not years.

So when Rattner, who leads Intel’s (INTC) research efforts, gave a presentation to Apple (AAPL) brass about the range of projects his scientists were cooking up, he was pleasantly surprised to leave the meeting with a list of a half a dozen that Apple executives wanted to hear more about. One thing that wasn’t surprising: Apple wanted the technology pronto.

“Sometimes it’s a little scary because we’re just not used to going that fast,” Rattner says. “They say, ‘We want to do this next year,’ and we go, ‘Whoa … next year?’ We’re just not built for that. But once you get past all that, I think it’s particularly exciting because they really pull it. And I think MacBook Air is a great example.”

If there were lingering doubts about how well longtime enemies Apple and Intel would work together, the svelte MacBook Air laptop should dispel them. Many observers (including this writer) were unsure what to make of the machine when Jobs introduced it in January, especially given that it lacked two common features: a DVD drive and a removable battery. But in the months since, it has taken its place among Jobs’ brilliant if unconventional bets. The MacBook Air has been the top-selling computer on Apple’s online store for most of the year, even though a similarly appointed laptop without the narrow profile sells for hundreds of dollars less. And Intel can proudly say its researchers helped make it possible.

“That was the first time they actually worked together on a custom project,” says Tim Bajarin, president of the Creative Strategies consulting firm. “Before that, everything was pretty much off the shelf. As a result, the relationship grew even further.”


Intel Chief Technology Officer Justin Rattner didn’t expect such a fruitful research relationship with Apple. Photo: Intel
A few years back, few would have figured Intel and Apple could become buddies. After all, Intel and Microsoft (MSFT) were frequent targets of Apple’s keynote antics during its Macworld presentations. Jobs and his entourage demonized both companies as purveyors of inelegant, cookie-cutter technology. Intel was often cast as the foil when Jobs whipped the covers off of some thin, new PowerPC laptop that had a chip from IBM (IBM) inside: You can’t get this sort of thing with Windows laptops, he’d say, because those Intel processors are so darn chunky.