OPEN THOUGHT

Software, not hardware, is the key to eavesdropping

DON SAMBANDARAKSA

Virtual world, ubiquitous communications, convergence - all buzz words that describe the world that we live in today. Yet, this world is changing and the recent press conference by the MICT to reassure us that nobody's conversations were being eavesdropped on made it clear that either nobody in power today has a clue about the brave new world of tomorrow, or that they would rather pretend not to know and let us continue to live in ignorant bliss.

Soon after General Sonthi Boonyaratglin voiced his concerns that everything he and the people running the country say over telephone networks is intercepted and sent to Singapore, the ICT Ministry brought together the heads of Thailand's telecommunications companies and the National Telecommunications Commission to reassure the public that there was no wiretapping equipment installed anywhere, and that the ICT MInistry had ordered extra security around the network operations centres of each telco to ensure that such equipment cannot be installed.

However, had anyone in that press conference bothered to read the Post Database on the 22nd of March last year, they would realise that the idea of eavesdropping equipment is about as appropriate as the concept of, say, building a better punch card system today.

In the early days of 2G telephony, if one wanted an SMS solution, one would go out and buy a box from the telecommunications equipment manufacturers such as Nortel or Ericsson, plug it in, and have a big headache integrating everything and getting it up and running.

Today, everything runs (or should be running) on generic switches and what was once associated with a box from a manufacturer is today merely a software package, like any other business enterprise software package.

The lead article in Database back in March last year covered Oracle's regional "Telecoms Leaders" summit, where Vittorio Viarengo, Oracle vice president for development for mobility, voice and communications was in town. Viarengo spoke of how Oracle was extending the J2EE Java enterprise framework to support a telecom company and how they expected to develop standard APIs and wrappers for existing legacy infrastructure too.

"With the new framework in place, any new idea, such as pushing voicemail to be delivered to the phone via MMS, would only be a matter of writing a new Java program. The difference is that the new service would take two days to develop and deploy rather than months," he said back then.

Indeed, Oracle's vision is for telcos to run on generic switches with all their intelligence running on Oracle Real Application Clusters (RACs), their term for grid computing. New services - be it billing (which, when you think about it, has a record of all numbers called) to SMS, MMS, email or any other new mashup type of service - would then run on J2EE on those RACs. Of course, they also would like you to run it on Oracle databases.

Now, take that to its logical conclusion. If an off-the-street Java programmer can do a voicemail to MMS solution in two days as Oracle claim they can, it would take almost no time at all for someone to write a piece of code that would forward a copy of all conversations with the name "Sonthi" in it to the email account thickskin@shinybutt.com. Or to Singapore, for the sake of argument and supposing the General is right this time around.

The idea of importing wiretapping "equipment", which was mentioned in the press conference, is therefore just not relevant. Yes, AIS, DTAC and everyone else denies having wiretapping equipment. The NTC said that importing such equipment without a licence would lead to their concession agreements being revoked. The ICT Ministry said that they would crack down on anyone with wiretapping equipment and even told the telcos to guard their networks well to ensure that no such equipment is installed.

But what nobody talked about, and none of the assembled media asked, was if there was any wiretapping software installed and how the NTC or MICT could guard against the possession of software for illegal purposes. That said, if the new generation J2EE framework is actually in place today, possession of such software would not even be a relevant question as it could probably be written from scratch in a day anyway, with someone walking in and out, not even with a memory device.

Could it be that the NTC, MICT, TOT, CAT, AIS, True and Dtac officials gathered there that day did not know this? Could it be that General Sonthi and the rest of the whatever the coup leaders have renamed themselves do not know that today hardware is irrelevant and it is a matter of software?

Or were they just playing dumb to mislead the people of Thailand into a fool's paradise? At least those of us who had not read the March 22 edition of Database or this column.

The analogy of what happened is like trying to prevent a network virus from attacking by placing security guards outside the sever room.

Anyway, if General Sondhi and the Assets Examination Committee are so concerned about being wiretapped, why not use public key encryption. GPG (the open source GNU Privacy Guard) works easily enough for even novice users and can integrate with most email clients and operating systems. There is also GPG phone for peer to peer Voice over IP if he wants to discuss things without a transcript of what he said being sent over, as he claims, to Singapore.

That is, if he does not do anything silly with his private key. But judging from the entire gamut of political leaders, telecom company executives and regulators gathered together that day, it's a wonder this country is still in once piece.

The generals could do worse than get computer geeks in to help in this day and age of information warfare, rather than draft ancient half-bit electrical engineers more accustomed to creating crystal radio transceivers from junkyard parts for school projects. There is so much that can be done, both defensively and offensively, that nobody seems to be remotely aware of. But for some reason, these people do not want to listen and seem to prefer to select "yes-men" to ensure that nobody makes noise so as to wake them up from their cozy dream.

Bangkok Post
Wednesday January 31, 2007