Governments and corporations have a common luxury that the average citizen does not and that is an abundance of money. In the case of security and privacy this allows them to develop specialized equiptment that can provide a higher-level of security than available to the public.

Now if you ask any well respected cryptographer, in any given product (assuming that they use well-known ciphers and not TOY ciphers) the encryption algorithm used will most likey not be the weakest link in the chain. You are more likely to have attacks that exploit other weaknesses in the system.

Possible culprits:

  • Possible side-channel attacks
  • Programming mistakes
  • Poor quality random number generation
  • Improper algorithm implementations
  • Lack of peer review (Hello SKYPE)
  • Unsanitary environments
  • Insecure handling of memory regions containing encryption keys/data.

    We have some suggestions for using this software and other encrypted voice communication's mediums effectively to ensure your privacy.

    A. Exchanging negotiation key's for CAMELOID should be done via
    a secure medium like following:

    1. Person to Person (!!!never over the phone!!!)
    2. GnuPG/Other encrypted e-mail
    3. Off-the-Record Messaging
    (A great piece of work by Nikita Borisov and Ian Goldberg)

    B. Lock down you systems (the best you can) to prevent unauthorized access. Keyloggers, trojan horses and other rogue software can compromise the security of CAMELOID and other encryption software. Keep your systems up-to-date and perform periodic checks of your system.

    C. Be skeptical of any binary only distributions of CAMELOID or any other software there is there is no way to verify (short of reverse-engineering) if the software is legitimate.

    D. Sanitize your environment, there exist many clandestine surveillance devices some of which are smaller than a dime (most of which are wireless) which can compromise your privacy. Checkout Spy World for some examples of these types of eavesdropping equiptment. To combat these particular types of intruders you should do an automatic/manual sweep with a bug detector or frequency scanner to attempt to detect anomalies. If the threat is very real, we suggest you contact a Counter-Surveillance Specialist.

    E. Consider using encrypted disk and encrypted swap partitions to protect data your data. Loop-AES is a good example of easy to use (full) disk-encryption project that allows you to also encrypted swap memory.

    Also, we recommend a memory sanitizing utility like smem
    which is part of THC-SecureDelete package.

    View the /miscdocs directory for writings about cool
    ways to use cameloid and ensure secrecy.