Skype Encryption Stumps German Police

TallGuyRacer writes "German police are unable to decipher the encryption used in the internet telephone software Skype to monitor calls by suspected criminals and terrorists, Germany's top police officer, Joerg Ziercke, said. "The encryption with Skype telephone software ... creates grave difficulties for us... We can't decipher it. That's why we're talking about source telecommunication surveillance — that is, getting to the source before encryption or after it's been decrypted.""

Skype unbreakable?

[niceone]

Well, it seems they are not really trying - they are not even talking to Skype about it.
What they want is permission to install spyware - something that is illegal in Germany at the moment:

Ziercke said there was a vital need for German law enforcement agencies to have the ability to conduct on-line searches of computer hard drives of suspected terrorists using "Trojan horse" spyware.

That's the real point of the story, not that Skype is unbreakable.

Re:Skype unbreakable?

[Silver+Sloth]

Indeed. Also from TFA

Spyware computer searches are illegal in Germany, where people are sensitive about police surveillance due to the history of the Nazis' Gestapo secret police and the former East German Stasi. I would hope that they are illegal in any civilised country.

Re:Skype unbreakable?

[GroeFaZ]

Exactly. The Anti-terror craze has long reached German lawmakers, and they are in a rage creating law after law (though not as bad as in the US and UK) and seeing what survives the Bundesverfassungsgericht, the court that decides if laws are against the German Grundgesetz (Basic Law, comparable to the US Constitution).

In the case of the "Federal Trojan", it was decided in 02/07 that such measures are illegal to conduct, and decisions made by the Bundesverfassungsgericht are equivalent to laws. So what they're doing now, they're keeping the discussion (and the fear-mongering) alive and continue to develop the trojan despite it being illegal, in an effort to undermine that decision. Most notorious for this behaviour is, of all people, our Minister of Interior, Wolfgang Schäuble. He repeatedly clamored and still clamors for this and other measures which are explicitely forbidden by the Grundgesetz and the Bundesverfassungsgericht, for example shooting down abducted planes. He's one of the single largest threats to what he has to protect by job description, namely the Grundgesetz.

Re:Skype unbreakable?

[OrangeTide]

Governments often tell us that there is some threat that they want to protect us from, and if we just give up a little bit of our freedom they will make society much safer. We fall for this trick over and over again.

Re:Skype unbreakable?

[oliverthered]

As a good example,
The US managed to get the UK to agree to deport anyone they asked for in case they were terrorists.

The first people the chose to ask to be deported were a bunch of bankers that had done some dodgy dealings, hardly terrorists.

And what's worse/better is that the US didn't hold up to it's part of the bargain and sign up to a similar agreement.

Re:Skype unbreakable?

[BobTheLawyer]

Why? If the police can, in extreme situations, apply to a court for a warrant to search a suspect's house, open their mail or tap their phone - and the US and almost every other country allows this - why shouldn't they be able to search a suspect's computer?

Re:Skype unbreakable?

[bug1]

Well, what if it DOES make society safer?
Safer for society as a whole, or safer for the elites ?

is there a balance of some sort to be found?
A perception of balance... balance according to which perspective ?

What's a good place to draw the line?
Does there have to be a "line", can freedom vs security be seen in black and white ?

People always repeat the "he who sacrifices liberty for security..." line, but what would a better solution be?
Those with power will always say they need more of it, how can those with power be prevented from abusing it ?

Zero policing?
Is there any point having laws if they aren't enforced ?

No laws?
If there were no state imposed laws would human behaviour still be government by morality/ethics, are they laws ?

Absolute freedom?
Is freedom a state of mind ?

Would that mean complete chaos and anarchy, and if so, is the freedom still worth it?
Does anarchy imply chaos, or just a lack of authority ?
Do humans have the ability to abandon all order ?
How would you describe chaos in a society ?
Is freedom an abstract concept, if so, on what terms do you value it ?

Why?
I could answer that, but i have to go.

I look forward to rexchanging opinions again in the future.

Re:Skype unbreakable?

[vrai]

And what's worse/better is that the US didn't hold up to it's part of the bargain and sign up to a similar agreement.

Not that I'm defending this treaty in anyway, nor the period during which it was unilateral, but the US Senate signed off on it last year. Apparently the Senate was concerned that the UK might use the treaty to extradite IRA members who had fled to the US and that would apparently be a bad thing.

Re:Skype unbreakable?

[TheRaven64]

It seems to me that, even if it were legal, it would be very hard to admit as evidence in court. If a computer is compromised then the defendant has a good defence against being responsible for anything found or done with the computer. The hard part, usually, is proving that the computer was compromised. If the prosecution are claiming that they are the ones that compromised it then there is no way a decent barrister would fail to convince the jury that their client had absolutely no responsibility for anything done to the computer.

Re:Skype unbreakable?

[ewn]

Well they can already do that now, for example by installing microphones in suspect's homes, but it requires a court warrant and a considerable amount of work. The Bundestrojaner would make snooping simpler, both in technical and in legal terms. And we know that if technology is cheap and simple, it's going to be used more. That is, i think, the government's goal here: gaining the ability to infiltrate a large number of computers, say of a significant percentage of Muslim citizens, or the globalization sceptics of Attac, or any other group that potentially features undesirable behaviour. No court would ever allow such a sweeping surveillance, and the police doesn't have the resources to bug thousands of homes anyway.

Re:Skype unbreakable?

Apparently the Senate was concerned that the UK might use the treaty to extradite IRA members who had fled to the US and that would apparently be a bad thing.

So the US government supports terrorism. Presumably only if it is done by white people with cute accents.

The US people also supported terrorism back in the day (well, those that claim to be Irish), before they understood the actual reality of terrorism.

I doubt the UK government would want to get into the hassle that extraditing any such people would inevitably lead to of course, but if the US is harbouring and protecting terrorists willingly then it really needs to sort out what its story is regarding terrorism.

Re:Skype unbreakable?

[presarioD]

Well, what if it DOES make society safer?

History has repeatedly proven that when a government asks its citizens to give up liberties it is working against making society safer but more absolute and submissive. Can you provide with any example where people who gave up their freedoms became safer? I can cite alot of counterexamples: nazi/fascist/communist governments that miserably failed in all fronts, including safety (the state safety-keeping apparatus turned against the citizens). Now neo-capitalism wants to join the club and they are going to be different exactly why?

Please don't use the words "democracy and freedom" in your answer, I've just eaten...

Re:Skype unbreakable?

[Sique]

There is a big difference between tapping a phone or a search warrant on the one side and a secret search of one's computer.

For a search warrant to be executed the suspect has to be present, or at least an outside witness has to be present. (I don't know about the legal situation in the U.S., but at least in Germany this is the case.)

Phone tapping can't create phone conversations that never happened.

But if you can install a software on a person's computer without him noticing, then you could also put counterbande files like the oh so beloved bomb construction howtos or kiddie porn on the computer.

The main problem with secretly spying on a computer is that it compromises the computer. From a legal point of view material gained with a secret computer search shouldn't be brought to court, because there is no way to prove that the evidence isn't faked.

Re:Skype unbreakable?

[Yokaze]

In Germany, secret searches of homes are prohibited. IRC, they have to happen in the presence of a member the household, or a neighbour. The telephone, mail and internet communication are not part of the home, and can be secretly monitored under the observation of a judge. The suspect has to be informed afterwards. The home enjoys a much stronger constitutional protection than communication.

Of course, the ministry of interior and the police argue, that they can't stop the terrorists, if they can't secretly hack the computer and monitor their communication.
And of course, it will only be used for severe crimes. Normal people have nothing to fear.

Re:Skype unbreakable?

[bhima]

I've thought about this idea that the Bundestrojaner would make snooping cheaper and easier. I think it would have another effect: About 15 minutes after they let the first one out into the wild some teenager in Slovenia would publish a CLI app that would detect and disable it or alternately hijack the app to share the contents of the drive on whatever P2P app Slovenian teenagers are into this week. Then everyone who *really* had a reason to make sure they were not infected would have this app and only the average Joe would be out there sharing his hard drive contents with the world.

Re:Skype unbreakable?

[Vlad_the_Inhaler]

The term GröFaZ was *not* something you wanted to be caught using when the Nazis were in power. It is a (disrespectful) abbreviation of 'Größte Führer aller Zeiten' (Greatest leader of all times) which was what the Nazi party propaganda machinery used to call their big boss.

Re:Skype unbreakable?

[Sique]

I like the old calculation we had in statistics:

- There is a severe sickness, which only one of 100,000 people gets.
- There is a test for this sickness, which is 99,9% accurate, that means, that the result of only 1 in 1000 persons is wrong. (In reality you have two numbers, one giving how high the rate is to give a false positive, and another one for the false negatives, but for the sake of the calculation we consider them equal).

How high is the chance, after you got tested positive, that you in fact have the severe sickness?

In 99 out of 100 this was a false positive.

The same goes for the search of terrorists.

Terrorists are very seldom, lets say that only 1 in 100,000 persons in Germany is a terrorist (this still gives 800 terrorists living in Germany, far too much compared with the number of terroristic acts committed!). Lets say that the police has means to be 99,9% accurate to tell beforehand if a suspect is a terrorist or not, before asking for secret computer searches.

It still means that in 99 out of 100 cases a complete innocent person's computer will be searched.

Re:Skype unbreakable?

[Vlad_the_Inhaler]

Back in the days of Ronnie R, the governments of Mozambique and Angola were:
a) - Communist (they may be still be)
b) - Neighbours of South Africa and supporting the ANC against the Apartheid S African government.
c) - Opposed by S African-sponsored rebel organisations (S Africa was trying to destabilise the opposition).

Both rebel organisations fit pretty much any definition of 'Terrorist' you can come up with. The US under Reagan helped finance both sets of terrorists in the name of opposing Communism.

The Contras in Nicaragua were almost as bad and they were pretty much a creation of the US.

The Taliban were also US sponsored (via Pakistan) for a while, at this point the line between terrorist and freedom fighter becomes blurred. That particular turkey has come home to roost.

Now going back to the actual article here:
Experts say Skype and other Voice over internet Protocol (VoIP) calling software are difficult to intercept because they work by breaking up voice data into small packets and switching them along thousands of router paths instead of a constant circuit between two parties, as with a traditional call.
If I was in Joerg Ziercke's position, I would probably announce that Skype's encryption was too strong once it had been cracked - to get the people you want to watch using Skype. Are the packets really sent along 'thousands of router paths'? Obviously the potential is there but I normally expect most of the packets to take the same route.
A few years ago it was announced that digital mobile phones could not be overheard, I wonder if that still applies.

Re:Skype unbreakable?

[Dogtanian]

I think that comment is too broad reaching. Specifically, the senators from New York and Massachusetts, where the Irish-American political influence is strongest, opposed this extradition treaty. That's the ultimate hypocritical irony. You'd think that New Yorkers would be less inclined to support terrorists after 9/11, but it looks like the old double standard is still in place. Or at least if there are a few votes in it.

The rest of the country didn't care, but it was never high on the U.S. priorities. They probably didn't care because the UK had already enacted its side of the bargain. Frankly, the UK government should have shoved this alleged agreement to the bottom of the pile until the US stopped trying to appease a (supposedly) tiny minority of sentimentalist fuckwits.

And frankly, if the rest of the country didn't care about this anti/pro-terrorism double standard and blocking their side of a bargain that was supposed to be in their interest, then they're just as guilty.

Can you imagine what would have happened if- during the 1980s- an organisation had tried to kill senior members of the U.S. government, including the president, and had come damn close to succeeding? And the UK had continued to allow fundraising for this organisation? That's exactly what happened in reverse with the IRA, and it defies belief that there was so little diplomatic fall-out- and it's also damn obvious that if the Americans were victims this would never happen in reverse.

And years later, when it's the US's turn to suffer the effects of terrorism, and the sycophantic UK government led by that contemptible poodle, Tony Blair, is going along with virtually *everything* their government wants, the US is still letting a bunch of sentimentalist IRA-sympathising scum and hypocritical vote-seeking senators dictate the same old double standards?

Seriously, this is beneath contempt.

Re:Skype unbreakable?

[ReeceTarbert]

apply to a court for a warrant

You've just answered the question yourself: without a search warrant, the scope for abuse is immense.

Of course there are the usual, broad categories (terrorist, pedophiles, criminals, etc.) that make it sound as the sensible thing to do, but once you grant such sweeping powers, what's preventing the police to use them to spy on political opponents, activists, or anyone else who just happens to "think different"?

RT
--
Your Bookmarks. Anywhere. Anytime.

Re:Skype unbreakable?

[sumdumass]

The idea of compromised is a subjective term in most situations. When the Government or police do it, it is a tool, when credit card number spamer is doing it, it is compromised.

You see, the idea behind the compromised portion deals a lot with the intent of who compromised it. Compromised means that you don't know their intent, what they have done and cannot trust the computer for anything. This wouldn't necessarily be the case when the police do it. At least not in the virgin eyes of the courts who still believe the police wouldn't act in an unlawful manor.

Re:Skype unbreakable?

[Sique]

It's simple math.

If you randomly test 100000 people, only one of them will have the sickness. 99999 are healthy. Of those 99 will be tested positive because one out of 1000 will falsely be tested positive.

Re:Skype unbreakable?

[TooMuchToDo]

If the police can compromise a computer, then anyone else with the right tools can. Therefore, anything found on the computer should not be admissible as there's no way to verify who (myself, the police, or a remote malicious user) has manipulated the contents of the PC.

Re:Skype unbreakable?

[corsec67]

Especially since the police hack could introduce other vulnerabilities into the system that makes it easier for other people to exploit.

Re:Skype unbreakable?

[sumdumass]

When the tight tools means physical access to the machine or a direct connection through the ISP, then the likelihood of all else drops dramatically.

There is a possibility that everyone whoever has been arrested had been framed, but the likelihood is so small that not everyone claims it nor do others think it. IT would depends a lot on what steps needed to be taken and how likely someone else could take those steps. I could also be possible that the police end up seeing some other party putting the incriminating stuff onto your PC. But ultimately, it would/could be your defense that the computer was infected with something and you couldn't get rid of it. Or something similar to that. We have seen this in the past and it didn't fair to well, remember the schoolteacher who had pornographic popups due to malware on a presentation computer and ended up getting something like 40 years?

Re:Skype unbreakable?

[Mattsson]

It's rather obvious that what you regarded as terrorism depends on who you are.
There isn't many who see themselves as evil terrorists who's only goal is to murder and destroy.
They see themselves as freedom fighters, holy warriors, the peoples saviors, etc, etc.
Those who get shot, bombed, maimed, etc, see them as terrorists and any who support them as supporters of terrorism.

Re:Skype unbreakable?

[TooMuchToDo]

Ah, but the police can't guarantee that the "patch" they install, nor their initial malware install isn't open to vulnerabilities.

Re:Skype unbreakable?

[Kattspya]

Hmmm... If it was Keitel that coined the term he probably didn't mean it in a negative sense. Keitel is probably one of the greatest yes-men ever. It's not so surprising that he was the author of that sentence only he was serious. It looks like the ones who didn't like Hitler took that phrase and ran with it.

Re:Skype unbreakable?

[neomunk]

I'll go through the list, but first let me state that most REASONABLE laws are a balance between two parties' freedoms, not a trade off between liberty and security. There have been many unreasonable laws implemented (as the GP points out) and you offer quite a few of them in your list. Here we go, point by point:

Yelling "fire" in a crowded theater?

Actually, look up the origins of this ole' gem. It was coined in an attempt to stifle political dissent, not a very good example of enhancing security. In the LITERAL case of yelling fire in a crowded theater, you are infringing upon other people's essential freedom of reasonable safety. By putting other people at risk of personal harm you are doing more infringing than you are expressing, and the law demonstrates proper balance.

I know, some of you are going to point out that "people's essential freedom of reasonable safety" is the same thing as security. The difference is a matter of quantification. Figuring HOW MANY people are you prevented from losing the freedom of REASONABLE (it's caps because it's important) safety, balanced against the freedoms you are limiting in the attempt is a little easier to get your hands on than 'what about the children?!?', if you catch my drift. In most cases today when you see the balance of safety/liberty being called into question, it's almost always obvious which side is more reasonable just my doing the math. You know, things like (number of people hurt by terrorism)/(number of people wiretapped) and so forth. Patterns start to emerge, and the results are starting to look obscenely lopsided.

The rights of states to secede from the Union?

That had nothing to do with security, and everything to do with economics and nationalism. No balance between freedom and security to find here, only a balance between freedom and economic and social factors.

The right to own slaves?

Again, you have no right to infringe on other people's rights. Any laws written in such a vein are tools of oppression/division. And how EXACTLY does this particular infringement of freedoms make people safer? That's an odd proclamation to make.

The right to marry multiple women?

Again, where does this have anything to do with security? And what about the right to marry multiple MEN? I don't understand at all where you're going with this question, it's just another example of a law designed to make the population more submissive to authority.

The right to fuck children?

Again, this is a serious infringement of someone else's rights. You are doing serious harm to a child by 'fucking' them, thus infringing on their liberties in a manor grossly outweighing any expressions of freedom you may claim.

The right to freely use/purchase/sell heroin?

Here's where you come close (still no cigar). In my personal opinion, this is another case of bad law. You should have absolute sovereignty over what substances enter/do not enter your system. However I CAN UNDERSTAND (though still disagree with) the argument that heroin use increases the chance of committing other crimes. In this case it is STILL bad law, because it's making illegal the increase probability of infringement of other's rights, not actual infringement.

The right to plot the assassination of the President of the Unites States?

FFS, this is ludicrous. First, if it IS illegal to plot such a thing with NO INTENTION of acting upon it then that is bad law at it's shiniest. Second, if you're planning to DO such a thing you're (of course) attempting to infringe on another person's essential right to life. Can you figure out the balance here?

The right to kill for any arbitrary reason?

I've covered this in sufficient detail.

The right to cross the highway on foot?

You're infringing on other's rights to properly use the equipment they own (have paid for), their rig

Re:Skype unbreakable?

[Alsee]

You have a stable society when some nut guns down a schoolyard and the law does not change.

I happen to live in New York. I for one refuse to allow terrorists to terrorize. I for one refuse to cower in fear. Terrorists can kill a number of people - any drunk nut with an automatic weapon in a schoolyard or a mall can kill a number of people. However terrorists cannot destroy America. Only Americans can destroy America - fearmongering powermongering gestapo-police-state idiots terrorizing fellow Americans into destroying America.

It's funny how it was New York that got hit on 9/11, but how New Yorkers are some of the loudest voices objecting to fearmongering and objecting to surrendering freedom in the name of police-state security measures.

I live in New York. I refuse to be terrorized. We need to pursue and combat terrorists - be we need to do it in a pre-9/11 world with a pre-9/11 mindset and pre-9/11 laws.

First you ensure rights and civil liberties and limits on government powers, and then and only then do you pass laws and allow police to pursue criminals within those constraints. It would certainly be easier for the police to prevent crime and catch criminals in they could engage in warrantless searches and seizures and wiretaps, it would indeed make us safer from common criminals. But no, "actually making society safer" is not an acceptable or tolerable justification. First you ensure rights and civil liberties and limits on government powers. If the police then overstep those bounds, if for example the police obtain evidence without a proper search warrant, then the evidence is thrown out of court and the criminal goes free. And setting the criminal free is the correct response, because a government which itself has become criminal is a far more dangerous thing than any criminal individual. Sometimes liberties and rights are a nuisance and impediment to police fighting crime and catching criminals, oh well, too bad.

Terrorists have failed to terrorize me, but some of my fellow Americans have me scared shitless. People who advocate fear, people who use it as an argument to surrender their own liberty and rights, and to forcibly revoke OTHER PEOPLE's liberties and rights, to destroy America.

Warrantless wiretaps. Free Speech Zones. Arbitrary non-judicial National Security Letters. Denial of Habeas Corpus. A president who calls the Constitution a "Goddamn peice of paper". Torture.

NO, it is not worth it. NO, NOT even if it "does make society safer".

P.S.
I wrote first hand as an American and in relation to specific issues of my fellow Americans, but the message itself is intended to be global. There are frighteningly many people all across the globe who like police states and who think it is a grand idea for themselves to infringe the rights and liberties of others in the name of security. It was just easier to speak in a first hand context, with 9/11 potentially becoming America's own version of the Reichstag fire. Violating rights and liberties and instituting police state measures is a global pattern, fearmongers who wish to institute such measures in the name of security are the real enemy. They need to be fought from the start, for the process and the government powers feed upon themselves and it becomes increasingly difficult if not impossible to oppose them after they have gotten rolling.

-

I long for the day

[GroeFaZ]

when technology allows brain implants and wireless brain-to-brain communication. Oh joy.

Re:I long for the day

[MichaelSmith]

when technology allows brain implants and wireless brain-to-brain communication.

Then Governments will want to install spy ware in your brain to listen in on your illegal communications/thoughts. Just make sure you aren't remembering any songs against the wishes of the copyright holders.

Re:I long for the day

[KiloByte]

Naturally, it would be strange if no one thought of making such a phone. What bothers me is, no one seems to use encryption. We're swamped with news about latest new and shiny phones, yet there's never a word about a real phone having such a feature. This /. article, for example, talks about Skype which is not available on portable devices -- and even if it was, black-box encryption is worthless. Skype is known to cooperate with China, for example -- so their encryption may be trustworthy enough against Johnny ScriptKiddie listening on a r00ted router, but not much more.

To get the uninterested population use it, encryption would have to be completely transparent. This is easy to do -- GSM connections are nothing but a compressed stream of bits anyway, they don't have to be understandable to pass through the network; if the stream includes a handshake it will be encrypted, if not, it's a talk with a non-compatible phone and will proceed in clear text^H^H^H^Hvoice. Adding key management would be a must for those with a clue about security, but if most users get an alarm if someone's public key changed, this would be a huge plus. Heck, do YOU preseed your ssh known keys? I admit I don't, being vulnerable to a MITM if someone gets me during the first connection.

ssh can replace telnet without a layman user even knowing the difference. If you can do the same with phones, we're golden.

Great

[dalmiroy2k]

Not only Skype gives us free, multiuser lag-free video conference with excellent quality, now we know our conversations are private.
I have nothing to hide, but nothing to share either.

Re:Great

[paulhar]

Assumption: this isn't dis-information designed to make us all feel safer about using Skype's encryption

Re:Great

[Slashidiot]

Just to be extra-safe, I'll be using skype and talking in ROT13.

Re:Great

[abigor]

I wouldn't trust skype encryption to be secure, after all everyone has the capability of decrypting it with the skype client.

  I can't see how it would be that difficult to monitor traffic through an ISP's gateway. This is incorrect - Skype uses RSA and symmetric session keys, not a permanently fixed symmetric key. Only the person(s) you want to hear your call will be able to hear it.

There is no way to monitor Skype traffic at the ISP.

You can read an independent security review here: http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf

isn't that the point of encryption?

[petes_PoV]

encryption with Skype telephone software ... creates grave difficulties for us... We can't decipher it.

Whether it's the police or just some nosey old git (Q: how can you tell the difference?) who's eavedropping on your conversation, the point is that only the person you're talking to should be able to decrypt the data.

If the police don't like that, that can always try to outlaw it - or require that keys are made available to them.

The problem you get then is people who "spoof" an encrypted datastream by just sending random numbers (tho' not from a Microsoft source as we've recently been told) down the line.
How do you know when a stream of apparently encrypted data has been decoded anyway?

Re:isn't that the point of encryption?

[sid77]

If the police don't like that, that can always try to outlaw it

If cryptography is outlawed, bayl bhgynjf jvyy unir pelcgbtencul.

Good Police Work

[hanssprudel]

This is a good thing. Having to install monitoring at the source or destination means an operation that requires effort and, hopefully, a court order. This means that their is judicial oversight, and that to catch criminals police have to do, you know, police work rather than just sitting around spying on us.

Ubiquitous encryption does not make law enforcement impossible. It just makes indiscriminate law enforcement impossible.

Plenty of attacks left, thank you very much

[Noryungi]

According to this PDF document, Skype encryption is based on open standard (such as AES, SHA-1, etc).

According to this article, our good friends at the NSA "may" have put backdoors in some of the technologies that could be used by Skype.

And, then, according to this other article, it does not matter what technologies you use, if your CPU is wide open to analysis and crypto attacks.

And, of course, there is the question of using a 'secure' communication system on a completely insecure operating system, such as Windows. Why do you think they talk of intercepting the communication before it becomes encrypted? Probably because the vast majority of suspects use Windows. Using Linux, or MacOS, would not be much of an improvement either.

Conclusion? Well, the Bundespolizei (that's German police to you) may not have the means to decipher your skype communications right now. But it's getting there, thank yo uvery much. And there are agencies out there who certainly can, and will.

And what happened to free german crypto? I thought Germany had the only sane policy about crypto in the industrial world?

Re:Plenty of attacks left, thank you very much

[SerpentMage]

Yeah I think they can't break the encryption, and not because they can't break the encryption itself. But if you read the article look at what it says.

>> Experts say Skype and other Voice over internet Protocol (VoIP) calling software are difficult to intercept because they work by breaking up voice data into small packets and switching them along thousands of router paths instead of a constant circuit between two parties, as with a traditional call.

That's the real problem. The packets are scattered all over the place and they can get a lock on the data. They probably can break the encryption but then they would only get piecemeal information sort like, "Plan " ... " meet " .... " blow " ... " place "... Which could mean "Plan A is to meet tomorrow and blow the place beside the train station... " OR "Plan to meet tomorrow at the new pub, and blow the old place like a pop stand." Same missing words, two entirely different meanings...

Interesting... You could develop an encryption where fifteen people talk and give pieces of the sentence and the meaning is only apparent when you piece everything together....

Re:Plenty of attacks left, thank you very much

[deroby]

WOOHOOOHOOO, I'm sooo scared now.

So what if Skype alters my Firewall settings : I 've strictly allowed it do do so !
(Tools Menu, Options, Advanced, Connection, [v] Allow Skype to modify my firewall settings)

Maybe the setting is on by default, not sure, but if it makes my Skype-experience any better, I don't see why I we have to 'create panic' like this ...
If you don't want any open ports, then don't install software that needs it in the first place, period.

Sigh.

yes, it's not rot13

[borkee]

and german police is not alan turing, obviously

Don't throw me in dat dere briar patch!

[fishdan]

We cannot break Skype encryption, and we have publicly announced that, so it's perfectly safe for you to keep on using it! Really!

Re:Don't throw me in dat dere briar patch!

[Fzz]

This is exactly what I would proclaim if I was able to decrypt the traffic and want users to think that I couldn't. Maybe not all whatever terrorists would fall for this but some would.

But then again, maybe they're smarter than this. Maybe they really can't break it. But they want you to think they can break it, so they tell you they can't, because they know terrorists (and slashdotters) always expect the government to try and mislead them. Great way to undermine confidence in Skype in circles of suspicious users, without causing problems for the regular users. You obviously fell for it :-)

Snatch 2007

[moro_666]

couldn't resist. this is just so "snatch" :

Turkish: F*ck me, hold tight. What's that?
Tommy: It's me belt, Turkish.
Turkish: No, Tommy. There's a Skype in your trousers. What's a Skype doing in your trousers?
Tommy: It's for protection.
Turkish: Protection from what? "Zee Germans"? ;-)

It's all about building trust..

[OlivierB]

Oh noes, the police can't decipher Skype! We're all gonna die!
Yeah right.
If you are paying attention, Skype is incorporated in Luxembourg, which is part of the EU, just like Germany (they actually share borders).
Do you think the EU would allow for some European company to provide tools to "terrorists" without having eavesdropping ability?

Now for the real story; German Police is putting on a little show so people actually trust *more* the closed-source Skype software.

If the German Police had no way of eavesdropping they would either (a) Shut up about it or (b) Actually say they have supercomputers that can decipher anything (even if this is not true). (a) or (b) would create enough FUD for "terrorists" to actually distrust Skype as a communication medium.

This is all spin doctor speak, and I would never trust Skype for sensitivie material communications. The Zfone project http://zfoneproject.com/ is a much more secure system.

Getting Through the Encryption Not the Story

[segedunum]

Getting through the encryption is not the story here. What they want to do is this:

"There are no discussions with Skype. I don't think that would help," he said, adding that he did not want to harm the competitiveness of any company. "I don't think that any provider would go for that."

If you are talking about getting to data after encryption, or before, why wouldn't you talk to Skype?

Ziercke said there was a vital need for German law enforcement agencies to have the ability to conduct on-line searches of computer hard drives of suspected terrorists using "Trojan horse" spyware.

This is completely unrelated to being able to tap encrypted communications. This is on a whole different level, and contravenes many laws brought into many countries for spyware and data protection.

These searches are especially important in cases where the suspects are aware that their internet traffic and phone calls may be monitored[?????!!!!!!] and choose to store sensitive information directly on their hard drives without emailing it.

God only knows what this means.

Ziercke said worries were overblown and that on-line searches would need to be conducted only on rare occasions.

How would they propose to do this, and get 'software' installed undetected?

"We currently have 230 proceedings related to suspected Islamists," Ziercke said. "I can imagine that in two or three of those we would like to do this."

Well, being an Islamist or belonging to some other group is not a crime, and I dare say if you searched many peopless hard drives for stuff about bombs and explosives then you could find something. That doesn't mean that they're going to do anything.

This is yet another old and decrepit security services organisation, worried about its future, worried about its funding, people who are worried about their jobs and worried about its place in the world.

Re:Getting Through the Encryption Not the Story

[bhima]

"Islamist" is newspeak for a militant extremist Muslim. In my mind, because it lacks militant or extremist, it is double plus ungood.

I hear it on the English language news broadcast in Austria / Germany all the time. Don't they use it in the US?

Suspicious Minds

[LordMidge]

The first thing I though was if I could hack a telephone system out of many what would I do?
Tell everyone I can't and get as many people using that system so that I can listen in onto as many as possible.
I'll go put my tinfoil hat on again now.

Smells like BS to me

[DrXym]

Even assuming the crypto is perfect, the police would still be able to infer a lot from who is calling who. A terrorist communicating with another terrorist, shows they know each other, where they are in the world, what their calling routines are (frequency, time, who they call next), the length of conversation and so on. They might even be able to infer who is doing the most talking from the amount of traffic in each direction. All without knowing the actual conversation text.

And that assumes the crypto is perfect and the police / intelligence services are incapable of decrypting it, playing man in the middle, or failing that installing a trojan, or planting a bug, or listening through a wall or whatever.

It sounds like BS. Even perfect crypto gives them more information that they had to begin with. It sounds like they want to have their cake and eat it too.

Lost in Translation

[DancesWithBlowTorch]

That's a translation problem. The agency in question here is the "Verfassungsschutz" (meaning, ironically, "Federal Agency for the Protection of the Constitution"), which is the German Version of the NSA (not that this name is any better). The submitter just couldn't be bothered to go through all that hassle and called it "the police".

Now, while the VS certainly doesn't have the means of the NSA, it is indeed a rather sophisticated service, and I am entirely convinced it is not beyond their means to employ really good security experts.

Re:Lost in Translation

[Alphager]

That's a translation problem. The agency in question here is the "Verfassungsschutz" (meaning, ironically, "Federal Agency for the Protection of the Constitution"), which is the German Version of the NSA (not that this name is any better). The submitter just couldn't be bothered to go through all that hassle and called it "the police".

Now, while the VS certainly doesn't have the means of the NSA, it is indeed a rather sophisticated service, and I am entirely convinced it is not beyond their means to employ really good security experts. Nope, Ziercke is President of the BKA, the Bundeskriminalamt. That's the federal equivalent of the LKA aka Landeskriminalamt aka Police.

I'm concerned about my uncles dog.

[forgoil]

Are they really thinking that they can thwart terrorists and such with this kind of surveillance? Any nonsense sentence can be a code to act, it's been used for ages. The idea of the intelligence organization sitting in cubicles and spying from a chair is bound to fail, and has failed many times over. So this is both useless, and effectively is spying on a countries citizens. This is what Stasi did, this is classic KGB, it smells of Gestapo, is this what we call freedom? Privacy is more important than it has ever been, and we will fight for it, and declaring war on your own people because they want their privacy is just as bad as the terrorists and the mafia.

Tech Savvy terrorists

[nfractal]

The possibility of terrorists using skype is there yes, but right now according to most police forces IMHO is increasingly through use and throw sim cards over plain vanilla cellular networks.

And without any encryption to boot, most conversations are phrases within local dialects which listed out would mean anything from a shopping list to a planned assasination. The point here is rather than spying on the content its the point of origin and the investigative techniques used by most third world countries today that'll help. And definitely not the backdoors left in most protocols used by skype et. all by all the three letter agencies.

The type of curbs being tried by the German Police would essentially be useful against big time money laundering and crimes similar in vein.

Idiots, Skype decrypts calls for all authorities!

[barwasp]

Skype is a telecommunications company and for having their teleoperator license required to allow wiretaps for law enforcement purposes - so it works also in USA. Or do you thing that USA would just allow osama bin laden to host conference calls with wannabe terrorists using Skype. In fact Skype clearly admits that they decrypt the calls for all requesting authorities.

Kurt Sauer, Skype's chief security officer, said there are no "back doors" that could let a government bypass the encryption on a call. At the same time, he said Skype "cooperates fully with all lawful requests from relevant authorities." He would not give particulars on the type of support provided. The german police just wants to install trojan horses for monitoring the germans. If the polizei were really after those encrypted skype calls they would just sue skype, and not be whining their lack of skills in public.

Hanlon's Razor

[Moraelin]

While normally I would encourage a moderate dose of paranoia, I'd also recommend it to be balanced by Hanlon's Razor: never attribute to malice, that which is adequately explained by stupidity.

This being Germany, for a start you have to realize that the police doesn't seem to be particularly incline toward conspiracies, nor any good at it. They're also (still) more monitored than what, judging by the news coming from the USA, seems to be the case with the FBI and CIA. These guys will tell you up front that they want stuff like the "federal trojan". Then it gets struck down as unconstitutional, lather, rinse, repeat.

At any rate, they're not the kind who'll do a backroom deal with some ISP to do it in stealth and secrecy. They're very open in requesting to be allowed to do all sorts of stupid stuff. Which I guess is the whole idea in a democracy and rule of the law.

Also, well, I don't know which particular group tried to crack skype, but the general stereotype about German public servants is... not very flattering. Not that they're evil or insidious, mind you. They tend to actually be nice people. More like just thoroughly lazy, incompetent, underworked, underachieving... you get the idea. Some more extremely than others. There's a whole category of jokes about them.

So, well, going by the stereotype, I'd really go by Hanlon's Razor there. There's a possibility that they genuinely don't have anyone who can crack anything above ROT13.

Two points

[Sloppy]

First, it should be unbreakable. If the government can crack it, then so can anyone else. There are so many bogeymen on the 'net, that it would be ridiculously irresponsible to deploy an easy-to-break VoIP system.

Second, Skype is very breakable. There's no secure key exchange: Skype is a totally trusted introducer. Government, if you want to break Skype, just ask them to help with your MitM attack.

But that vulnerability should be Skype-only, and a "serious" VoIP system should be quite resistant. IMHO, phone apps should be built on OpenPGP, except also include some kind of OTP support since most people talk to people they regularly meet in real life. (Actually, I sort of think we need OpenPGP to be expanded to include a standardized OTP.)

Last Year 'German Officials' pwned Skype?

[vic-traill]

So last year we heard that mysterious 'German Officials' were

claiming they had technology for intercepting and decrypting Skype phone calls from no less of a source than the New York Times (via Skype forums): http://forum.skype.com/index.php?showtopic=54163

So, who pwns who?