Tuesday, October 18, 2011
nsa.gov--we got the cheapest routes!
Dear National Security Agency, this post is not against you and has probably nothing to do with what you are doing in the real life. Anyway, this story is so good that it could be true, and I want to share it. Feel free to replace NSA with the service provider or government agency of your choice and the country of your choice!
I was always wondering how you can get access to phone calls for the purpose of recording them and hopefully finding some interesting content. It seems there is an easy way: become an Internet Telephone Service Provider (ITSP)! All you have to do is bid for the destinations that you are interested in. For example, you want to record all phone calls that go to Afghanistan? Well, just start bidding for the traffic based on the destination patterns. Or you want to record all phone calls to a specific number? Just bid for that number, I think the prefix can be longer than just a few digits so why not the whole number? Everything is pretty much automated these days, for example check out the Voice Peering Fabric (VPF) which handles tremendous amounts of traffic. It would be interesting how quickly they can change the routes, maybe if you know someone is about to place a call, quickly bid for the route and bingo! That would save a lot of money for the unwanted traffic and the work to work through all the recordings. Also, what you get as the new service provider, is also the phone number people are calling from, also making it easier to find out if the call is interesting or not.
Maybe guys like the VPF should also support bidding for source-based numbers, so that you can filter for only the traffic from the people that you are interested in. This might sound like a bold request, and it would be really difficult to explain that with anything else than the interest of recording.
The other way to do that is to run a PBX in the country of your choice and oopsss, you picked a trivial password. I am sure sooner or later the "friendly VoIP scanner" will find you, and give you lots of traffic for the country. Then also the recording part will be trivial. Okay, in this case you would make no money, but at least it is only national traffic that you have to terminate. Usually this is cheaper that international traffic, especially in some countries of specific interest these days.
So what does this have to do with the snom m9? Not much. The m9 does support the usual encryption mechanisms like SRTP and TLS; but what is it good for when your service provider just translates everything into plain unencrypted traffic and sends it to a service provider that you cannot control at all? Even ZRTP is usually not the solution. Most service providers will terminate the ZRTP at a kind of session border controller (which you have to trust and you will do that), and then it will go South from there.