Slashdot Mirror
Skype Encryption Stumps German Police
TallGuyRacer writes "German police are unable to decipher the encryption used in the internet telephone software Skype to monitor calls by suspected criminals and terrorists, Germany's top police officer, Joerg Ziercke, said. "The encryption with Skype telephone software ... creates grave difficulties for us... We can't decipher it. That's why we're talking about source telecommunication surveillance — that is, getting to the source before encryption or after it's been decrypted.""
What they want is permission to install spyware - something that is illegal in Germany at the moment: That's the real point of the story, not that Skype is unbreakable.
ccalam - acoustic versions of new songs.
when technology allows brain implants and wireless brain-to-brain communication. Oh joy.
The grass is always greener on the other side of the light cone.
Not only Skype gives us free, multiuser lag-free video conference with excellent quality, now we know our conversations are private.
I have nothing to hide, but nothing to share either.
Whether it's the police or just some nosey old git (Q: how can you tell the difference?) who's eavedropping on your conversation, the point is that only the person you're talking to should be able to decrypt the data.
If the police don't like that, that can always try to outlaw it - or require that keys are made available to them.
The problem you get then is people who "spoof" an encrypted datastream by just sending random numbers (tho' not from a Microsoft source as we've recently been told) down the line.
How do you know when a stream of apparently encrypted data has been decoded anyway?
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
This is a good thing. Having to install monitoring at the source or destination means an operation that requires effort and, hopefully, a court order. This means that their is judicial oversight, and that to catch criminals police have to do, you know, police work rather than just sitting around spying on us.
Ubiquitous encryption does not make law enforcement impossible. It just makes indiscriminate law enforcement impossible.
According to this PDF document, Skype encryption is based on open standard (such as AES, SHA-1, etc).
According to this article, our good friends at the NSA "may" have put backdoors in some of the technologies that could be used by Skype.
And, then, according to this other article, it does not matter what technologies you use, if your CPU is wide open to analysis and crypto attacks.
And, of course, there is the question of using a 'secure' communication system on a completely insecure operating system, such as Windows. Why do you think they talk of intercepting the communication before it becomes encrypted? Probably because the vast majority of suspects use Windows. Using Linux, or MacOS, would not be much of an improvement either.
Conclusion? Well, the Bundespolizei (that's German police to you) may not have the means to decipher your skype communications right now. But it's getting there, thank yo uvery much. And there are agencies out there who certainly can, and will.
And what happened to free german crypto? I thought Germany had the only sane policy about crypto in the industrial world?
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
and german police is not alan turing, obviously
We cannot break Skype encryption, and we have publicly announced that, so it's perfectly safe for you to keep on using it! Really!
Nothing great was ever achieved without enthusiasm
Encryption is about 4500 years old.
They enjoyed a short time of easy wiretapping and now we are back in an environment of secure communications. Well, tough luck, laws that infringe the privacy of your population can't help you now.
You can always cry "HAX" or call the waaambulance, I suppose.
I use skype because of the encryption. Its fast too. And sending files is quick as well even if i am behind a firewall. Unlike other messanger services I know of.
couldn't resist. this is just so "snatch" :
;-)
Turkish: F*ck me, hold tight. What's that?
Tommy: It's me belt, Turkish.
Turkish: No, Tommy. There's a Skype in your trousers. What's a Skype doing in your trousers?
Tommy: It's for protection.
Turkish: Protection from what? "Zee Germans"?
I'd tell you the chances of this story being a dupe, but you wouldn't like it.
Oh noes, the police can't decipher Skype! We're all gonna die!
Yeah right.
If you are paying attention, Skype is incorporated in Luxembourg, which is part of the EU, just like Germany (they actually share borders).
Do you think the EU would allow for some European company to provide tools to "terrorists" without having eavesdropping ability?
Now for the real story; German Police is putting on a little show so people actually trust *more* the closed-source Skype software.
If the German Police had no way of eavesdropping they would either (a) Shut up about it or (b) Actually say they have supercomputers that can decipher anything (even if this is not true). (a) or (b) would create enough FUD for "terrorists" to actually distrust Skype as a communication medium.
This is all spin doctor speak, and I would never trust Skype for sensitivie material communications. The Zfone project http://zfoneproject.com/ is a much more secure system.
Artificial intelligence is no match for natural stupidity
Is this at all suprising? It's the police, they're hardly high-tech. I wouldn't be suprised if they couldn't get into a PKzip passworded archive. ROT-13 would certainly baffle them.
Now, if it were the security services that couldn't get in, that would be more suprising.
Comment removed based on user account deletion
If you are talking about getting to data after encryption, or before, why wouldn't you talk to Skype? This is completely unrelated to being able to tap encrypted communications. This is on a whole different level, and contravenes many laws brought into many countries for spyware and data protection.
God only knows what this means.
How would they propose to do this, and get 'software' installed undetected?
Well, being an Islamist or belonging to some other group is not a crime, and I dare say if you searched many peopless hard drives for stuff about bombs and explosives then you could find something. That doesn't mean that they're going to do anything.
This is yet another old and decrepit security services organisation, worried about its future, worried about its funding, people who are worried about their jobs and worried about its place in the world.
Skype can break firewalls. Don't y'all read slashdot?
It's the whole friggin point of the encrytion innit? If they need to listen in on crimminals skype calls why can't they make some sort of agreement with skype?
Maybe they're clever, and they can in fact decrypt it, but they want you to think they can't?
John has a large moustache. I repeat: John has a large moustache.
Don't fight for your country, if your country does not fight for you.
The first thing I though was if I could hack a telephone system out of many what would I do?
Tell everyone I can't and get as many people using that system so that I can listen in onto as many as possible.
I'll go put my tinfoil hat on again now.
freely available. plus, there's never any payper liesense subscription fees, no cover charge & no encryption required. just pay attention, which is cost effective, & lessens the chances for further corepirate nazi bushwhackings. does anyone recall who hitler's favorite 'enemy' was? hint: it was 'terrorists'.
meanwhile, trying to stay 'in tune' with a declining greed/fear/ego based aspect of man'kind' can be somewhat discouraging, as certain LIEforms continue to claim 'ownership'/control of people/things, in spite of the fact that all we have/are is a gift from yOUR creators. so what is a 'fair' day's pay?
micro management (by use of deception, detainment & media control/censorship) of entire populations has never worked (for very long). it's an illness. tie that with life0cidal aggression & gangster style bullying, & what do we have? a greed/fear/ego based recipe for disaster.
we're intending for the nazis to give up/fail even further, in attempting to control the 'weather'.
http://video.google.com/videosearch?hl=en&q=video+cloud+spraying
&oe=UTF-8&um=1&ie=UTF-8&sa=N&tab=wv&oi=property_suggestions&resnum=0&ct=property-revision&cd=1
the creators will prevail. as it has always been.
corepirate nazi execrable costs outweigh benefits
(Score:-)mynuts won, the king is a fink)
by ourselves on everyday 24/7
as there are no benefits, just more&more death/debt & disruption.
fortunately there's an 'army' of angels, coming yOUR way
do not be afraid/dismayed, it is the way it was meant to be.
the little ones/innocents must/will be protected.
after the big flash, ALL of yOUR imaginary 'borders' may blur a bit?
for each of the creators' innocents harmed (in ANY way), there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available.
beware the illusionary smoke&mirrors.con
all is not lost/forgotten.
no need to fret (unless you're associated/joined at the hype with, unprecedented evile), it's all just a part of the creators' wwwildly popular, newclear powered, planet/population rescue initiative/mandate.
or, is it (literally) ground hog day, again? many of US are obviously not interested in how we appear (which is whoreabull) from the other side of the 'lens', or even from across the oceans.
vote with (what's left in) yOUR wallet. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi glowbull warmongering execrable.
we still haven't read (here) about the 2/3'rds of you kids who are investigating/pursuing a spiritual/conscience/concious re-awakening, in amongst the 'stuff that matters'? another big surprise?
some of US should consider ourselves very fortunate to be among those scheduled to survive after the big flash/implementation of the creators' wwwildly popular planet/population rescue initiative/mandate.
it's right in the manual, 'world without end', etc....
as we all ?know?, change is inevitable, & denying/ignoring gravity, logic, morality, etc..., is only possible, on a temporary basis.
concern about the course of events that will occur should the life0cidal execrable fail to be intervened upon is in order.
'do not be dismayed' (also from the manual). however, it's ok/recommended, to not attempt to live under/accept, fauxking nazi felon greed/fear/ego based pr ?firm? scriptdead mindphuking hypenosys.
consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?
"If my people, which are called by my name, shall humble themselves, and pray, and seek my face, and turn from their wicked ways; then will I hear from heaven, and will forgive their sin, and will heal their land."
it's very likely that they can decrypt it or that they have access to some backdoor in Skype ... In other interviews (or other cited versions of the same?), Ziercke said that they hadn't talked to Skype yet about access to a backdoor.
"I love my job, but I hate talking to people like you" (Freddie Mercury)
Comment removed based on user account deletion
And that assumes the crypto is perfect and the police / intelligence services are incapable of decrypting it, playing man in the middle, or failing that installing a trojan, or planting a bug, or listening through a wall or whatever.
It sounds like BS. Even perfect crypto gives them more information that they had to begin with. It sounds like they want to have their cake and eat it too.
The Nanny State knows better than I do how to take care of me. I need the Nanny State in order to properly function as a responsible adult. Without the Nanny State telling me what to do, how am I to know what is right and what is wrong? It's just like having an extension of my Mommy and Daddy around for the rest of my life! I feel SO COMFORTABLE!
This message brought to you by the letters A and Q and the number 5. "A" stands for absurd.
The Federal Court at the moment trials to other laws recently made by our governmnet: - So called "Vorratsdatenspeicherung" - That is everytime you connect to an internet Server or Call some number on the telephone it gets registered what server you did connect, what number you've called and how long the connection lasted. This data shall be saved for 6 months, according to the new law. - Mass scanning of car numbers through camera systems at the roadside by the police. Police claims the scanned numbers are not stored , but rather being matched against a database of known fugitives. But some doubt definitely remains here. Both laws were heavily and partly critically questioned by the Judges at the Federal Court ("Bundesverfassungsgericht") at the oral proceedings. Those judges also have a long standing history of invalidating laws that would take government power too far.
unless you just bought shares in Skype and are trying to break the as-yet untapped terrorist market.
That's a translation problem. The agency in question here is the "Verfassungsschutz" (meaning, ironically, "Federal Agency for the Protection of the Constitution"), which is the German Version of the NSA (not that this name is any better). The submitter just couldn't be bothered to go through all that hassle and called it "the police".
Now, while the VS certainly doesn't have the means of the NSA, it is indeed a rather sophisticated service, and I am entirely convinced it is not beyond their means to employ really good security experts.
Are they really thinking that they can thwart terrorists and such with this kind of surveillance? Any nonsense sentence can be a code to act, it's been used for ages. The idea of the intelligence organization sitting in cubicles and spying from a chair is bound to fail, and has failed many times over. So this is both useless, and effectively is spying on a countries citizens. This is what Stasi did, this is classic KGB, it smells of Gestapo, is this what we call freedom? Privacy is more important than it has ever been, and we will fight for it, and declaring war on your own people because they want their privacy is just as bad as the terrorists and the mafia.
The possibility of terrorists using skype is there yes, but right now according to most police forces IMHO is increasingly through use and throw sim cards over plain vanilla cellular networks.
And without any encryption to boot, most conversations are phrases within local dialects which listed out would mean anything from a shopping list to a planned assasination. The point here is rather than spying on the content its the point of origin and the investigative techniques used by most third world countries today that'll help. And definitely not the backdoors left in most protocols used by skype et. all by all the three letter agencies.
The type of curbs being tried by the German Police would essentially be useful against big time money laundering and crimes similar in vein.
Kurt Sauer, Skype's chief security officer, said there are no "back doors" that could let a government bypass the encryption on a call. At the same time, he said Skype "cooperates fully with all lawful requests from relevant authorities." He would not give particulars on the type of support provided. The german police just wants to install trojan horses for monitoring the germans. If the polizei were really after those encrypted skype calls they would just sue skype, and not be whining their lack of skills in public.
Damn, not even one post, and this article has been Godwined!
From the tags: nazis. Sorry people, this discussion is now invalid, move along.
No tyrant thrives when every subject says no.
It looks like the Germans have encountered a bit of an enigma...
- RG>
Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
"...This is yet another old and decrepit security services organisation, worried about its future, worried about its funding, people who are worried about their jobs and worried about its place in the world...."
Few people realise that this is what lies at the heart of the appalling mess western society is now in.
The Security Services lead, but the whole cold war infrastructure follows. In the Western world we have been brought up to expect and resist an external military threat since the 1930s - there is a huge amount of impetus there. That is why they are generating new threats as we speak - it's the only way they know how to live...
When the Police or a Judge needs to wiretap phone conversations, they ask the telecom companies to provide them with a "plug" with unscrambled and unencrypted traffic. Every communication company is to comply with this law, at least in United Europe.
This happens for landline, GSM and sat phone calls. And should also happen for Skype-like calls.
If the Police is trying to do it the hard way, well, I fear they are trying to do something illegal!
Or maybe they are trying to make people sure that Skype is unbreakable, while it is not.
You can bet that somewhere in the Skype system the conversations are clear text. That's the right place you can push your plug to wiretap!
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
What can we do to stop this american practice of supporting terrorism and coups against other nations?
What will make you americans stop these atrocities?
Should we return the favor?
Assorted stuff I do sometimes: Lemuria.org
According to work done by EADS employees (http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf), Skype encryption is (at least partially) broken and Skype conversion can be decyphered. They even present means to route Skype traffic through arbitrary hosts, something which is also done with Tor traffic. So if the police *really* wants to eavesdrop on Skype traffic, they have all the means necessary to do so. I also suspect them the lay ground for the Bundestrojaner.
Germany's top police officer said.
Who is this guy and how "top" is he? Because either he doesn't know what he's talking about or this announcement is a distraction/excuse/redirect.
As if I'm really going to trust an announcement from the state that we can't eavesdrop on communications from company X without thinking it through.
Especially when it's well known the Skype protocol has been broken and has back doors for a long time. Being able to intercept communications has been a requirement here in the US for awhile. It sounds like they just want everyone to start using it. Or it's an excuse to do a run around current German privacy laws.
And, don't forget to add that we've not been in contact with the company. Ya, that adds up. Here's how I read it. "Hey everybody! We can easily eavesdrop on skype calls and decrypt on the fly, please start using it. Or, everybody thinks we can't tap these calls, we'll use that as an excuse to get even more eavesdropping capabilities.
Either way I don't buy it.
Is it true that ISS's Proventia G100 can decypher Skype chat conversations?
While normally I would encourage a moderate dose of paranoia, I'd also recommend it to be balanced by Hanlon's Razor: never attribute to malice, that which is adequately explained by stupidity.
This being Germany, for a start you have to realize that the police doesn't seem to be particularly incline toward conspiracies, nor any good at it. They're also (still) more monitored than what, judging by the news coming from the USA, seems to be the case with the FBI and CIA. These guys will tell you up front that they want stuff like the "federal trojan". Then it gets struck down as unconstitutional, lather, rinse, repeat.
At any rate, they're not the kind who'll do a backroom deal with some ISP to do it in stealth and secrecy. They're very open in requesting to be allowed to do all sorts of stupid stuff. Which I guess is the whole idea in a democracy and rule of the law.
Also, well, I don't know which particular group tried to crack skype, but the general stereotype about German public servants is... not very flattering. Not that they're evil or insidious, mind you. They tend to actually be nice people. More like just thoroughly lazy, incompetent, underworked, underachieving... you get the idea. Some more extremely than others. There's a whole category of jokes about them.
So, well, going by the stereotype, I'd really go by Hanlon's Razor there. There's a possibility that they genuinely don't have anyone who can crack anything above ROT13.
A polar bear is a cartesian bear after a coordinate transform.
Comment removed based on user account deletion
Or perhaps, they want to be able to listen without a court order?
-Unresolved symbol? Byte me!
Tongue in cheek...
...and continue to develop the trojan...Yeah, but does it run on Linux? If they manage that, I'd be impressed.
I only post comments when someone on the internet is wrong.
Perhaps the German police need to borrow Colossus :-)
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
The quote seems to undermine your claim. Skype uses end-to-end public-key encryption, meaning that the company would not have the ability to decrypt phone calls or messages for authorities, any more than your ISP could decrypt an SSL session with your bank for authorities.
I'd love to say "Terrorists, you should do this instead..." but I don't want feds knocking on my door. I don't support terrorism, however I do support raising public awareness of digital security and mentioning whats working for us is also fighting against us.
Through P2P VPN networks, TOR networks, anonymous relays and botnets you can become mostly untraceable. The layered encryption of TOR would make decoding any digital string a nightmare - including getting a FOIA request out to every ISP that could have possibly routed traffic between TOR peers. Hosting your own TOR network is pretty dang easy as well. It's also not likely somebody will connect to a privately hosted TOR network, or even know where to look.
I personally host my own TOR network and channel IRC and IM sessions from my workplace through my home connection. You can do a heck of a lot more than that including host your own personal underground Internet. The same goes with Hamachi, however you are not nearly as anonymous.
Anybody that wants to stay hidden can easily hop on existing TOR networks and advertise their IRC server to any number of recipients. It's my impression that if you are computer smart enough to use Skype, you are smart enough to use IRC sessions under TOR, or even talk through SSH sessions on *nix machines. The possibilities to protect your transmissions are endless. The verification methods between yourself and others can be quite secure if you understand how it works.
By the way, you can tunnel just about anything through anything else.. most people disagree since there is no QOS and it's highly latent and inefficient. Remind yourself not to disagree or ignore silly methods of doing things just because you wouldn't want to do things that way. Its very likely that any terrorist/criminal activity over the Internet that uses encryption doesn't care about their voice quality as much as they care about getting information securely transited between them.
To the PD, source tapping is necessary if you want to prove you are doing all you can. I feel as though it is a highly futile effort. Technology doesn't need to change in order to evade source tapping, only the method of communication. Increase undercover efforts since that seems the best source tap in your arsenal, one it easily adjusts with the criminal activity.
First, it should be unbreakable. If the government can crack it, then so can anyone else. There are so many bogeymen on the 'net, that it would be ridiculously irresponsible to deploy an easy-to-break VoIP system.
Second, Skype is very breakable. There's no secure key exchange: Skype is a totally trusted introducer. Government, if you want to break Skype, just ask them to help with your MitM attack.
But that vulnerability should be Skype-only, and a "serious" VoIP system should be quite resistant. IMHO, phone apps should be built on OpenPGP, except also include some kind of OTP support since most people talk to people they regularly meet in real life. (Actually, I sort of think we need OpenPGP to be expanded to include a standardized OTP.)
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Unless they have the private key, of course. It should be trivial for Skype to get the private keys: After all, both the software and the protocol are proprietary; it would be trivial for them to include sending the private key to Skype's servers.
The Tao of math: The numbers you can count are not the real numbers.
As was pointed out to me once by somebody who worked in the field, a simple light bulb can be used as a two-way monitoring device if you have equipment sensitive enough to read the signal. It's all just energy, and you have no secrets. The cops don't know this, though, but they're not exactly in the loop.
Of course, I'm probably just be talking through my head, right? The best way to keep secrets is to make the truth seem like a fantasy.
-FL
Yes, they could conceivably program their software to send the private keys to the server, but that would of course completely undermine the point of using Public Key Encryption, and also undermine their claim to providing "end-to-end" encryption, which I would think would make them liable for charges of false advertising or other things. There's no compelling reason for them to risk alienating their customers and possibly exposing themselves to legal liability, so I would tend to take them at their word. Of course, I might feel differently if I were considering using it to organize the overthrow of the government.
Duh. That's what encryption is supposed to do.
Screw those nosy spooks. I'd like go to this demonstration tomorrow if I had the time.
So last year we heard that mysterious 'German Officials' were
claiming they had technology for intercepting and decrypting Skype phone calls from no less of a source than the New York Times (via Skype forums): http://forum.skype.com/index.php?showtopic=54163So, who pwns who?
[17] Leary, T., White, C., Wood, P. R., Bhabha, W. D., and Wirth, N. Lambda calculus considered harmful. In Proceedings
Skype can't break its own encryption. Thats the whole point of encryption. /Maybe/ the NSA (or the German's equivalent if they have one) can break the encryption, but probably not.
Someone should re-educate the German government (and other governments who try this), that encryption is meant for a purpose... to prevent unauthorized individuals from intercepting the communications protected by the encryption. Let me re-state that in a simpler way:
If the German government is not the sender, or the intended recipient, they do not have any right to see, hear or intercept the information. Period.
If they can't decrypt the encrypted data stream, then the encryption is doing its job. That's the point.
If the encryption can be decrypted, then it is no longer encryption, and should be rewritten to properly secure the information again, locking out unauthorized access.
http://www.blackhat.com/html/bh-media-archives/bh-archives-2006.html#eu-06
Skype has a slew of protections including code integrity checks, anti-debugging techniques, code obfuscation, and Skype network obfuscation.
Incidentally, Desclaux is the author of the Rasta Ring 0 Debugger [RR0D] which is not detected by Skype.
From what I understand about Skype in general is that while the contact information (i.e. your Skype contacts) is centralized, calls and chats are done peer-to-peer without necessarily connecting to a central server. Therefore at least the chats which are always encrypted by default should be pretty secure because it a least seems very improbable (and impractical, too) for your Skype client to open a second connection to a central server for the means of logging all that stuff. For calls I'd assume it's the same.
So yes, while technically this is still doable, it's highly impractical and I guess that is the problem authorities are whining about. Even if they ask the central in Luxembourg to log all staff and hand it over, they just don't have the means to get it there.
It's widely acknowledged that Tor can easily be undermined by establishing compromised nodes on the network. Since Tor was originally a US Navy project and is well known, I think it's safe to assume that the network is at least partially compromised.
I think that if you're up to something that attracting the attention of the intelligence agencies, your communications will be compromised if you're using a global network. VPNs and encryption like SSH are dependent on the strength of your keys and passphrases. Systems like Tor depend on trusted nodes. Phones can be tapped. Cars with OnStar can eavesdrop on your conversations with a court order. All you need to do is mess up once.
Conformity is the jailer of freedom and enemy of growth. -JFK