Experiments with ZRTP and FreeSwitch

ZRTP is very important project for securing your voice communication. I started playing with Jitsi, Acrobits Softphone and FreeSWITCH.

What I found out after initial configuration of ZRTP for FreeSwitch is that FreeSwitch attempts to negotiate ZRTP keys and act as a trusted man in the middle. I wanted to avoid that and provide end to end encryption. The magic option that would allow direct passthrough of ZRTP to the endpoint is enabling:

<!--Uncomment to set all inbound calls to proxy media mode--> <param name="inbound-proxy-media" value="true"/> 

in conf/sip_profiles/internal.xml.

Other funny thing I found out is how many bots are out there trying to abuse my softswitch. This happened a few hours after setting up FreeSwitch on public IP (that was never used as a SIP server before). I have run tcpdump capturing only UDP on 5600:

[root@softswitch ~]# strings output.pcap |wc -l 37235 [root@softswitch ~]# strings output.pcap |grep To: | wc -l 2833 [root@softswitch ~]# strings output.pcap |grep To:| uniq | head -n 5 To: "J" <sip:1001@> To: "J" <sip:1001@>;tag=U4SvF45vSBeeN To: "J" <sip:1001@> To: "J" <sip:1001@>;tag=vDKNHZp0pm40g To: <sip:1001@> [root@softswitch ~]# strings output.pcap |grep To:| uniq | tail -n 5 To: 700972597727055 <sip:700972597727055@>;tag=Uy4Dmj5jN0NHB To: 700972597727055<sip:700972597727055@> To: 700972597727055 <sip:700972597727055@> To: 700972597727055 <sip:700972597727055@>;tag=v7X6NDppj9B4p To: 001972597727055 <sip:001972597727055@>;tag=jD1e4yDKFgD9j [root@softswitch ~]# strings output.pcap |grep -i nonce| uniq | head -n 10 Proxy-Authorization: Digest username="2010",realm="",nonce="9613eafe-5920-11e2-84ca-eb9dba96f036",uri="sip:00972592819732@",response="264f1ab22fa5dacafc01387032228446",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2010",realm="",nonce="96dbcfa6-5920-11e2-84cc-eb9dba96f036",uri="sip:000972592819732@",response="512df72182d278d705a2160ba15f4a0f",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2010",realm="",nonce="97630552-5920-11e2-84ce-eb9dba96f036",uri="sip:900972592819732@",response="a45fc82a1d632a8890f777716b7935f5",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2012",realm="",nonce="0b1a9a5a-5926-11e2-84d4-eb9dba96f036",uri="sip:00972592819732@",response="c5590c623d654384f83ff04da785a197",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2012",realm="",nonce="0c7a5b10-5926-11e2-84d6-eb9dba96f036",uri="sip:000972592819732@",response="f581d146cb370170764fa8f54bd4b360",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2012",realm="",nonce="0dc65ae6-5926-11e2-84d8-eb9dba96f036",uri="sip:900972592819732@",response="d522d9a645bd6b3a47a8d5091b73b0f4",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2020",realm="",nonce="811aaa42-592b-11e2-84de-eb9dba96f036",uri="sip:00972592819732@",response="407a62e3cc1dcadad13e5e672a8cdb88",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2020",realm="",nonce="826543b2-592b-11e2-84e2-eb9dba96f036",uri="sip:000972592819732@",response="f803d9c9687217fc97829bc317933c6e",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2020",realm="",nonce="83df2bfe-592b-11e2-84e4-eb9dba96f036",uri="sip:900972592819732@",response="5e11b2531e86709427c9eea542203cd9",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="301",realm="",nonce="2e81b5a4-592c-11e2-84e9-eb9dba96f036",uri="sip:00972597727055@",response="156ef65fecbe325882b48b555ec92cd4",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 

For those that are not that familiar with UNIX, this basically means, that there are bots (or botnets) out there trying to brute-force your password and call out. That means you need to change your password before running FreeSwitch for the first time.

I used a good (although older) tutorial about starting with FreeSwitch.

Moral reform by Ztohoven: An ultimate hack

Almost nobody would guess that the speech of Czech MP David Rath would start a moral reform in the country. Rath was arrested and charged with receiving bribes in May 2012. He had a chance to explain what happened to other MPs, who would then vote on his political immunity. His words were not addressing the fellow MPs. He was looking at the cameras and trying to create a sentiment in the Czech nation. He pointed out other cases of corruption. The moral reform was not coming from his words nor from his heart. It was happening in parallel to his speech. And he was the only one that did not notice.

In contrast to his fellow citizens, Karel Schwarzenberg (minister of foreign affairs)  was not moved by Rath’s words. He did what every sane person in that situation would do – he fell asleep. From that place where dreams melt with reality of TV cameras filming bored politicians he sent a text message to Karolína Peake (Deputy Prime Minister of the Czech Republic).

Miss Peake was not moved by heart-breaking speech of Rath either. The cameras caught her black ThinkPad, as she was sitting right behind the speaker, but we could not see its screen. We could read her face though and it kept saying: “I don’t care what’s around, I am doing something more important”. Probably reading e-mail. Or browsing Facebook. She almost forgot that the whole country is watching her. Then she woke up – from the place where we escape when we wait at the doctor’s office – when her phone vibrated. She received a text. Although we already know what it said, at that time, we could only see her reaction: She smiled, her hand swept through her hair and she got a rush of energy. She probably decided to share that text with someone…

Karel Schwarzenberg (TOP 09) -> Karolína Peake (independent)

“Watching what goes on these days, I realize that we need to stop doing that. We need to do something, something important. Something that will change our whole society from scratch”

Few minutes later something unexpected happened at the house of parliament. No, David Rath did not apologize for his corrupt behaviour. His speech was still directed at citizens, trying hard to make them emotional. He probably learned that from other heart-breaking speeches by many other politicians that use this technique to influence the public. Something was in the air. Whispering started in the house of parliament.

Jan Hamáček (ČSSD) -> Alexandr Vondra (ODS)

“We all have something on each other – a mutual deadlock. I feel really bad about it. Moral reform is the only way out of it. Let’s grasp this opportunity”.

More and more of these text messages (SMS) started to spread – between MPs, between heads of political parties, between press representatives and journalists. Both directions. Everyone was joining the moral reform. Everyone wanted to know more. The texts were promising a press conference that would explain the concept of moral reform to journalists and citizens. Rath did not finish yet, but something was going on here. How is it possible that Karel Schwarzenberg managed to write a message while sleeping? How is it possible that colleagues sitting next to each other exchanged messages without even touching their phones? The answer was in the text. “Moral reform is the only way out of it.” (“Morální reforma je jediná možnost jak z toho ven”)

Ztohoven is a Czech art group that is formed and then dismantled with every action they do. They became famous when they transformed the giant neon heart at Prague Castle (seat of the president) into a large red question mark. Their most famous artwork is their pirate broadcast of nuclear explosion above Krkonoše mountains on Czech Public Television (see more in the documentary about this project – English subtitles included). Project “Media Reality” was seeking an answer to question “Do people believe in what media present us as reality?”. TV cameras that are broadcasting live footage from Czech ski resorts (even during the summer) apparently were not secured that well. This group of artists managed to broadcast their own signal instead of live feed to the transmitter, replacing colorful panoramas of the Czech countryside with the atomic blast. This did not cause nation-wide panic, but a discussion about questions like “What is art?” and “Does this threaten the public?”. Discussion ended up in the court…

Ztohoven prepared a documentary (in co-production with Czech TV – which is really nice, considering their previous conflict about the explosion) about their other project. It’s name Občan K. (Citizen K.) is inspired by Franz Kafka. It is about identity and identification. What would it be like to be someone else for a while? How would it be to renounce your own identity? Twelve members of the group decided to try on their own. They took pictures of them in black T-Shirts and used image morphing software to create “inter-identities” – a little bit of me and a little bit of the other guy. Then they took the photo and requested a new state-issued ID card (in Czech republic – unlike other countries – you bring your own photo to use)…

When they had this new ID card, they requested passport, visa to China, gun permit and even a wedding certificate – during the wedding, the groom and the best man had to exchange, because their identities were exchanged and the bride wanted her husband’s real name on the certificate.

According to the state, we are all equal. They do not care about us when we pay taxes, do not break law and generally get out of the way. The bureaucrats do not communicate with people, but with rows in the database and their ID cards. The human being is usually only there to hand over the ID card to the state employee.  They only notice a face when they try to compare the picture on the ID to the face of it’s owner. From that point on, we are just a record in the database. You can find more about the project in the documentary Občan Ztohoven that is right now in Czech cinemas and will be touring world documentary film festivals soon.

Projects of the group are not taking place in a gallery – they occur in “public space”. Museums and galleries are only visited by hipsters and tourists anyway. The “public space” as their location is almost the only thing that the projects have in common – it is very difficult to predict their next project.

Members of the group have rarely control over the result of the project. Most of the people learn about them from media and that means that they only get to know the media interpretation. It is very interesting that the public is almost always on their side. Although public support is very important (even in court), the members never know what consequences would their projects have. When they were sending the texts to the members of parliament, they could have changed voting or cause panic. But did they want to do that? Did they want to cause panic or change votes? It’s sad that media wrote that “Hackers attacked mobile phones of members of parliament”. The content – the Moral Reform – was probably not so interesting as the hacker attack. MPs did not disapprove of the project (how could someone disapprove of Moral Reform?), but they never spoke about it. Media was focusing on the fact that someone can send fake text messages and getting hold of phone numbers of most MPs, the president and relevant journalists. They did not focus on the fact that our world needs a real moral reform. Maybe that’s the reason that the members of Ztohoven call their projects “media sculptures” – they can set the funding stone, but the resulting shape of the project is usually formed by the media. And most of foreign media totally ignored this project. What a pity.

People usually do not like to think about structures – in a mathematical sense. Almost everyone is interested in means and content, not in relations between objects. People are interested in who voted for and who voted against something (this is actually a better case – when people are interested at all). Few people are interested in the actual meaning of a law. There is little discussion about the power structure of the parliament – who says the MPs how to vote (no, they do not read all the law that they vote for). Moral Reform is much more than a mirror of morality of politicians. It shows the structure of power in Czech Republic (see the project’s web page at www.ztohoven.com/mr/index-en.html). You can see who communicates with the media, who tells the members of political parties how to vote. Who is a carrier of change and who is a voting puppet? I suggest checking out the text messages not in a list, but in the graphic representation of parliament, where you can see how information is spread. Of course this interpretation of structure of power was created by members of Ztohoven, but it is very scary when you think about how the dramaturgy and “screenplay” resembles the reality. When one politician showed the journalists the fake text he got from Radek John and let them take a picture, he did not realize that there was an older message from the same politician that said “Skokan pacified”. Both Petr Skokan, MP for Veci veřejné and Radek John decided not to comment…

Sometimes I wish we had Ztohoven in our country. There are not many people that ask the right questions. There are almost none that ask the difficult ones. I am trying to imagine what would happen if Moral reform really happened – if politicians really decided to end corruption and be better. If they would understand that they are here to serve us. Maybe it’s evolutionary – those that are politicians are there because they have the ability to speak well in front of people, to touch their hearts and transfer emotion. About doubling wages, about security, economy, the nation, education, the Europe and the bright future… And for some reason, people base their “voting” on that. If the only quality that people in the parliament are capable of is to speak to the hearts of people, are they able of real transformation from inside? Are they capable of moral reform? Every politician is able to tell the public that they let go of their past and focus on the future. Are they capable of actually doing it?

Václav Klaus, president of Czech Republic -> heads of political parties

“Mister chairman, I urgently ask you to come to the Castle today. I would like to talk to you about the Moral reform.”

It is sad that this text came from a dream of Ztohoven and even though all heads of political parties actually received it, it was not sent from the phone of the president. We are still waiting for the moral reform to come…

Backing up your github repositories

I put a lot of my free software to Github lately. Github is nice, it allows community forks and other great things. But what if it is gone? For that, we have backups. Do we?

We should.

Addy Osmani wrote about backup up your github repositories. He gave three solution. The second one did not work for me and I was too lazy to debug, the third one required Haskell and some additional libraries (I will learn Haskell, but not at 6am), so I adapted the first solution. It is pretty simple, but used github v2 API and it is no longer supported.

So updated version is here, I also added some shell escaping (although if you backed up someone else’s repository, I suggest checking for filename-significant characters too).

This backups all your public repositories (that’s what I use). I use it with duplicity for secure backup (and restore) by encrypting on client side (please take good care of your PGP private key if you do this).

Report from 29c3

Chaos Communication Congress (CCC or C3 for short) is traditionally held between Christmas and New Year. This date is chosen not only because most hackers are free during this time, but also because organizers like to avoid people who go to conferences to escape their job and actual work. An unusual but effective solution.


In addition to the traditional time, the place was traditional too – at least for the older ones among us. The 29th Congress returned from Berlin to the original city of CCC – Hamburg. An acronym of this year’s conference is 29C3 (29th Chaos Communication Congress). The tagline of this year’s congress is “Not My Department”. The name suggests something that most hackers don’t like to see – when someone (especially an officer) makes excuses about something being beyond their competence.

If some of the descriptions of lectures sound interesting, feel free to check them online at http://bit.ly/Zd2ZGR – the streams are free.

The conference was opened by a keynote address by Jacob Appelbaum. As the author of Tor and a Wikileaks collaborator, he has experienced what it is like to come into conflict with a powerful state. Interrogations lasting hours at airports are common practice, yet he has never been accused of anything. Jacob tried to inspire hackers to develop technologies that support individual freedom – privacy, anonymity, circumventing censorship. Later, he also delivered a technical lecture on Tor ecosystem – programs and libraries that people can use (with Tor) for anonymous access/posting and circumventing censorship. Sadia Afroza Islam and Aylin Caliskan gave a lecture on stylometry that reminded us of the fact that anonymity it is not easy – even if you are using a completely anonymous connection to the Internet, your writing style can give you up. The authors presented their toolkit for stylometry (JStylo)  and partial anonymization of writing style (do not trust it for strong anonymity though).

29C3 Hamburg Tag 1

The traditional theme of the congress is of hacking GSM communication. This time it was not focused on the interception of communication. Sylvain Munaut presented his “hack” – creating a BTS (base transreceiver station in GSM network) from an old Motorola C123 mobile phone with his own firmware. Thus, it is possible (under controlled conditions) to create your own GSM network, which is able to send short text messages (SMS). The phone must be connected to the computer that is running OpenBTS clone at all times, so the Motorola C123 is used as a GSM radio peripheral.

GSM network – along with DECT and VoIP networks (which are all interconnected) –  has traditionally been used at the Congress. The private network was used by many members of the congress for intra-congress communication.

Mark van Cuijk from Holland presented his “open” GSM service provider Limesco. It allows you to adjust the routing of calls the way you want – in fact you bring mobile calls to your VoIP PBX where you can route them or do other interesting things with them. The lecture was an overview of the background of commercial mobile operators and various companies (network operator, vendor, virtual operator, …) and pricing, or interconnection charges.

The second top issue was a serious conflict of states vs hackers. From the use of the Internet in protests (Arab spring, Occupy movement) to the so-called whistleblowing, 29C3 covered almost the full spectrum of the conflict. The highlight of this topic was a talk called “Enemies of the State: What Happens When Telling the Truth about Secret US Government Power Becomes a Crime.” It was led by two former NSA employees who worked on surveillance technology. Both left NSA after their superiors decided to develop and deploy an interception programme called Stellar Wind, which (according to them) is intercepting and storing all communications (regardless of citizenship) without a court order. Thomas Drake said several times that this is against the U.S. Constitution. William Binney explained how an eavesdropping technology works and what the capacity of the new NSA data center being built in Utah is.

Americans are not the only ones that are building and using mass-surveilance technologies – Russia is now doing it too and is not so secretive about it. The “Russian way” of intercepting everything is being exported beyond the borders of Russia, and even the original Soviet Union. Mexico decided to purchase listening technology from Russian companies and the company persuaded the government to also adapt Russian lawful interception procedures – this means that the competent authorities receive all unfiltered traffic and then filter things out. There is no independent party to check if they have a court order for that interception.


The cryptology and attacks on ciphers have special dedicated professional conferences, but cryptographic analysis of Russian cipher GOST was quite interesting even at the CCC. An analysis of RFID security cards was presented in a very funny and interesting way by Timo Kasper. They described also the hacking of Prague Opencard. However, the most interesting lecture (according to us) was the factorization of RSA public keys (FactHacks), which was presented by DJB (DJ Bernstein, author of djbdns and qmail mail package), Nadia Heninger and Tanja Lange. They pointed out the real problems in the development of encryption systems, such as insufficient entropy when generating keys. They showed a field-tested method to factorize a number of keys in parallel, and their project is available at http://factorable.net/ where you can verify if the public key is weak and has well-known factors. An important take-away from this lecture is that it is no longer safe to use 1024-bit RSA keys.

Sebastian Schinz introduced side-channel attacks (timing). The idea of this attack is that some operations take longer and some shorter. Based on the time it takes to perform an operation, an attacker can get information that is not public. Textbook example is the algorithm that first verifies your user name and then your password. If the operation is performed faster (statistically), it can be inferred that the user is not found. If it takes longer it means that the application found the user and checked the password, so the user exists. This works even if in both cases, the server replies “Incorrect user name or password”. Sebastian released a set of tools for measuring and evaluating time-based side channels and showed us some techniques to prevent these types of attacks.

The CCC consists of many interesting things, not only talks. Even though it is already the 29th annual conference, the organisers are not afraid to experiment. The new space hosted nearly a hundred so-called “assemblies”, i.e. sites (from few tables to a large hacking area) that have a common theme. Assemblies also organized workshops and technology demonstrations outside the main program. There were over 100 independent workshops that were not part of the official programme. The conference network was also interesting – peak usage was 3059 users, 40% of the traffic was IPv6. During the conference, the aggregate traffic of Hamburg increased by one third (conference used over 8GBit/s). The conference organizers declared this usage as “booooring” and concluded that people do not follow the recommendation on the screens: “Please use more bandwidth”.

A number of accompanying events, spontaneously organized workshops and meetings, interesting and high quality lectures, open access (low entrance fees, conference organized purely by volunteers and a free stream) made Chaos Communication Congress the best technical (hacking) Conference at least in Europe. Sister events of the Congress are two camps, one organized by the German Chaos Communication Club and the second organized in the Netherlands. This year the Dutch camp is called Observe, Hack, Make (OHM) and tickets are already sold on ohm2013.org. Join us in the summer, it will be an awesome event!