Written by Sean Wolfe
Thursday, 29 September 2005
Encrypting Voice: An Interview with Phil Zimmermann, Creator of PGP
Page 1 of 3
Phil Zimmermann is a name that is nearly synonymous with data security. He released PGP (Pretty Good Privacy), an encryption scheme for electronic mail in 1991. PGP was so good at encrypting data and files that in 1993 Zimmermann came under criminal investigation by the US Government for, as it was called at the time, “munitions export without a license.” Export regulations on encryption have lightened since the early 90s and PGP distribution is no longer restricted. PGP, and PGP compliant applications, are now the most frequently used programs for email encryption in the world.
With voice over IP security one of the hottest topics around, Zimmermann is now preparing to release zFone, a working title for his latest application, which is aimed at encrypting VoIP calls. He envisions a suite of zFone products, including software that will run on an existing VoIP client, as well as software that could reside on routers.
[VoIP Magazine] You first announced zFone at the Black Hat Security Conference in Las Vegas. Is it typical to do product launches at such conferences?
[Phil Zimmermann] I’ve only had two products in my life that were entirely my own creations—PGP and this one. PGP was not announced at a conference. I announced it on Usenet newsgroups back in 1991, but people don’t really use Usenet anymore, or if they do, it’s not in the same way, so I chose a conference setting.
[VM] What was the reception there like to the announcement?
[PZ] It was very positive. People were enthusiastic, and I also did a similar announcement the next day at DefCon, and that also went very well.
[VM] What kinds of issues were raised in conversations you had at those conventions. Did people there really see a need for the product?
[PZ] I think everyone there recognized the importance of VoIP as an emerging technology. I also think everyone recognizes there are security problems with VoIP. At other conferences there wasn’t as much awareness, but at Black Hat, which mostly attracts security professionals, they were quite aware of VoIP’s security issues.
[VM] There’s been some talk amongst the trade press that encrypting VoIP calls is something of a solution in search of a problem. How do you react to that?
[PZ] Everyone who hasn’t been living under a rock the past few years knows the Internet is a rough neighborhood. The fact is the Net is a playground for criminals. There are all manner of criminal exploitations going on right now, whether you’re talking about phishing, identity theft, distributed botnets, or malware that infects PCs within minutes of connecting to the Internet. Clearly, if we are to move our phone calls into such a hostile environment, we will need protection.
[VM] I think we’ve all read many of those stories, sometimes on a weekly basis, but how does that apply to VoIP calls? Isn’t there a kind of intrinsic security through obscurity, because of the labor involved in actually finding a specific conversation that could contain sensitive information?
[PZ] Not really. There’s a piece of malware out there that if it can infect just one computer in the enterprise, it can sit there, capture all the VoIP calls made on your network, record them to disc, and organize those recordings like a Tivo player. In other words, these recordings can be browsed and selected for persons of interest to listen to. For instance, one could hear all the calls made by the in-house counsel to the outside law firm. Or what one CEO says to another. I think a lot of people are accustomed to the relative safety of the PSTN network, which we’ve had for a century. But the PSTN is like a well-manicured neighborhood compared to the crime-ridden slum of the Internet.
[VM] That’s a pretty dark picture you’re painting.
[PZ] You bet.
[VM] That said, I’ve not read any stories about VoIP networks being exploited in the way you describe.
Prev – Next >>
StatCounter – Free Web Tracker and Counter