[jrockway]

“What he is doing would be illegal in Britain and the United States.”

Hmm, guess which two countries he is not doing this in. I am not sure how this is relevant, except to say, "oh fuck." (If you can't attack the argument, attack the person who's arguing.)

To do this while supposedly being concerned about privacy is beyond me.

Now I know for sure that I need to encrypt my calls in another way. Before this announcement, I figured it was handled for me; I didn't assume that criminals had already broken the crypto and had kept the information secret. Now I am sure they have, and that my non-encrypted calls are obviously being monitored. (I exaggerate a bit, but it's clear how this disclosure enhances my privacy.)

Not sure why the GSM folks are taking this so seriously. Computers are fast. 64-bit encryption has been unsafe for nearly a decade. Everyone knows that this was going to happen eventually.

Edit: after reading the slides, I am really amazed by this. I remember when I was a kid and I used to listen in on cordless phones and baby monitors with my radio scanner. It was really, really interesting. The thought of sitting on the train and listening to both sides of people's cell-phone calls appeals to me in a way that I can't quite explain.

[tptacek]

In fairness, or whatever, the problem with A5/1 isn't simply that it's got a 64-bit key, but that it's a uniquely bad stream cipher prone to linear equation-style attacks and precomputation. Nate, Colin, or Bruce may smack me down for saying this, but I don't think you can apply the same attacks to, say, RC5.

For roughly a decade, pretty much anyone who attended more than one local 2600 meeting got the tech demo on snooping cell phone calls --- they were analog. Everything old is new again. It's nice that encrypted digital calls were so successful that the loss of their security is major news.

[jrockway]

Yeah, you are right. The impression that I got from the NYT article was that this was "given a trace and a bunch of computers, you can get the voice data... maybe, eventually", but the impression that I get from the talk is that it is actually realtime. That requires weaknesses in the crypto that are embarrassing for anything 1980s or 1990s vintage. I don't think this attack would be feasible if they used DES instead. (I will defer to you or cperciva for that one, however :)

[siculars]

what i got from the 3c talk is that the data stream is on the order of 80MB/s (tx/rx, because they need to record the entire spectrum due to frequency modulation) and that currently they have not found a way, it seems due to lack of fpga programming skillz, to decode in real time. it seems like they are recording and then decoding some time later via their 2TB lookup table. Even with the 64bit keyspace the lookup table is 2TB because its a rainbow lookup which means that only certain values at certain intervals are stored.