German Govt. Skype Interception Trojans Revealed

James Hardine writes "Wikileaks has released documents from the German police revealing Skype interception technology. The leaks are currently creating a storm in the German press. The first document is a communication by the Ministry of Justice to the prosecutors office, about the cost splitting for Skype interception. The second document presents the offer made by Digitask, the German company secretly developing Skype interception, and holds information on pricing and license model, high-level technology descriptions and other detail. The document is of global importance because Skype is used by tens or hundreds of millions of people daily to communicate voice calls and Skype (owned by Ebay, Inc) promotes these calls as being encrypted and secure. The technology includes interception boxes, key forwarding trojans and anonymous proxies to hide police communications."

Germany

[CastrTroy]

Germany still seems to have a lot of it's old attitudes lying around. Installing trojans on the computers of it's citizens for the purpose of listening to skype calls is way beyond what I would expect from a country like Germany. Then again, they still can't have video games with Nazis or blood in them. How long before someone packages up a Linux live CD with Skype preinstalled so that you can ensure you're computer isn't compromised when making phone calls?

Re:Germany

[gnasher719]

Germany still seems to have a lot of it's old attitudes lying around. Installing trojans on the computers of it's citizens for the purpose of listening to skype calls is way beyond what I would expect from a country like Germany. Then again, they still can't have video games with Nazis or blood in them. How long before someone packages up a Linux live CD with Skype preinstalled so that you can ensure you're computer isn't compromised when making phone calls? 1. It is legal (if you get permission from a judge etc.) to listen in to phone conversations. 2. With Skype using 256 bit encryption, the police cannot do in practice what it is allowed to do legally. 3. Some company makes software/hardware that enables the police to do what they are allowed to do legally.

It seems to be necessary to install some software on the user's computer to achieve this. As long as this software doesn't do anything but opening up Skype communications, it doesn't do anything that would affect the user's rights. All their Skype communications can only be heard by people who are legally allowed to hear it - even though one of them is the police, which is not the _intended_ recipient.

Re:Germany

[TransEurope]

An to do the same without public announcement is better? Or what "old attitudes" have CIA and NSA? Are they Nazis too? Or worse?

Re:Germany

How long before the gestapo packages up a Linux live CD with Skype preinstalled and distrubutes it as secure?

Fixed

Re:Germany

[CastrTroy]

The police are allowed to tap regular phone lines because they don't have to intrude on your property to do it. Just like they can stake out your house from a van on the road. They aren't allowed to walk into your house and watch you all day. Once they start installing trojans on computers for listening to skype calls, it's not a far stretch from them installing trojans to record every action you do on your computer.

Re:Germany

[trewornan]

Germany still seems to have a lot of it's old attitudes lying around.

Yeah, because other governments would never do something like this - talk about naive. Did anybody here not realise that skype calls were going to be intercepted?

Re:Germany

[smilindog2000]

Skype pretty much admits allowing wire-taps by refusing to answer whether they do or not, and given the law that makes them do it, and the current administration's love of secret Internet monitoring, you pretty much have to assume your Skype calls are about as public as Slashdot. What's interesting about this article is to find the Germans doing it. They had seemed so progressive lately, I'm quite surprised.

Re:Germany

[Aardpig]

As someone else has pointed out, it is legal in Germany for police to monitor phone calls, when they get appropriate authorization from a judge. Contrast this with the United States, where the administration is trying to award retroactive immunity to itself and telcos for years of illegal phone surveillance.

Re:Germany

[STrinity]

The police are allowed to tap regular phone lines because they don't have to intrude on your property to do it.

No, they're allowed to tap phone lines because they get court orders saying they can. Do you think courts have never issued warrants allowing police to place bugs on a suspect's property?

Re:Germany

[Nullav]

So? It's a trojan, meaning that one has to willingly open it; more bluntly, it means that the police will need to trick people into opening them. Also, with this information out in the open now, anyone with a lick of sense will be even more wary of such rogue email attachments.

tl;dr - No one has to convince you to pick up a tapped phone.

Re:Germany

The CIA uses Gestapo practices because many Gestapo officers surrendered to the US forces when the war was going badly post-Bulge. So, yes, the CIA is basically Gestapo 2.0

Re:Germany

1. It is legal (if you get permission from a judge etc.) to listen in to phone conversations.
2. With Skype using 256 bit encryption, the police cannot do in practice what it is allowed to do legally.
3. Some company makes software/hardware that enables the police to do what they are allowed to do legally. "Legal" but not necessarily ethical.

It seems to be necessary to install some software on the user's computer to achieve this. As long as this software doesn't do anything but opening up Skype communications, it doesn't do anything that would affect the user's rights. All their Skype communications can only be heard by people who are legally allowed to hear it - even though one of them is the police, which is not the _intended_ recipient. You probably mean "doesn't affect the user's legal rights" but how this adds up ethically is more to the point. Most of Nazi Germany's and Stalinist Russia's abominations were legal at the time according to their nation's laws! Judging a governmental authority in legal terms does not really amount to saying much when they create the laws we judge them by. We need a less transient ethical framework for that purpose (preferably one which includes the right-to-privacy, innocent until proven guilty etc. etc.).

Re:Germany

[WindBourne]

is trying to award retroactive immunity to itself and telcos for years of illegal phone surveillance.

The key word being "TRYING" (though they may get it). Keep in mind that it was 4 years only, not YEARS. Basically, it was just this admin, started in 2002 and was finished by 2006. Hopefully the dems will NOT allow this to go unpunished.

Re:Germany

"It seems to be necessary to install some software on the user's computer to achieve this. As long as this software doesn't do anything but opening up Skype communications, it doesn't do anything that would affect the user's rights."

I would presume that any software installed would take up memory, CPU and network bandwidth that I own.

These things belong to me. For the police to take them away from me would seem problematic, if not downright illegal.

Of course, there is also the problem of trojans and rootkits in general - what if they have a flaw that gives OTHERS control of my system? (e.g. sony rootkit)

Re:Germany

[Yahma]

My thoughts exactly. While our administration has allowed for unwarranted illegal wiretapping with full cooperation from most of the major telco's, the American public is mostly either unaware of the issue, or seemingly apathetic. The German public, on the otherhand, is almost in an uproar over the revelations that the German gov't can/may listen in on Skype calls LEGALLY.

The difference in public reaction is likely due to the histories of our respective nations. The Germans populace went through a period where a lunatic dictator brought on the downfall of the nation. Today in Germany, school children from age 5 upwards learn about this terrible time in the Nation's history and because of the openness and recognizance of today's germany with respect to its recent history, its population are very very wary of allowing Government too much power over its people. In the US, on the otherhand, the government have been passing laws stripping our privacy using 9/11 as justification. The recent realization that there will be little to no backlash from the American populace as a whole has only encouraged our government to continue with such laws as the "Patriot Act" that slowly strip away our rights and give the Executive Branch ever more power.

Re:Germany

Keep in mind that it was 4 years only, not YEARS.

> 1 year = "years"

4 > 1

Do you have a problem with plurals..?

Re:Germany

[WK2]

So? It's a trojan, meaning that one has to willingly open it; more bluntly, it means that the police will need to trick people into opening them.

Here in the USA, the police will break into your house to install keyloggers and such. Hardware keyloggers, usually. They will only send something through email if they don't know who you are (such as virus writers) and they do it to find out who, and where you are, not to listen to your phone calls. The problem with sending software trojans is that it usually doesn't work, and might get noticed.

Re:Germany

[hkl387]

This is not about Germany's past, this is a global issue of today.

According to a 2007 International Privacy Ranking, there is "weakened protection" in Germany, while the UK and the US are ranked as "endemic surveillance societies".

Yes, we are very concerned about German authorities pushing to weaken our rights, but we also need to understand that Citizen's rights are under attack all around the world these days. Stereotypes are not helpful, we've got to stand up for our rights together.

Re:Germany

[Jeremiah+Cornelius]

THE CIA NAZI CONNECTION

Posted By: Phoenix
Date: Sunday, 9 December 2001, 3:12 a.m.

In Response To: THE BUSH FAMILY CIA & NAZI PAST (Phoenix)

This posted at Emperor's Clothes is about an article in The San Francisco Bay Guardian that discusses the recently unclassified CIA files.

There are also many more references at the end of Part Two.

Part 1 - WORST KEPT SECRETS OF THE BUMBLING BEAR - the CIA/NAZI marriage

URL for this article: http://emperors-clothes.com/docs/gehlen2.htm

Please feel free to reprint and re-post any Emperor's Clothes article. Also, please include the article's Web address and author(s).

www.tenc.net * [Emperor's Clothes]

WORST KEPT SECRETS OF THE BUMBLING BEAR (Part 1 of 2)
by Jared Israel
[Originally Posted 22 May 2001]
[Reposted 2 December 2001]

Below is an article from the 'San Francisco Bay Guardian', entitled, 'The CIA's Worst-Kept Secret.' It discusses some recently unclassified CIA files. These documents, 18,000 pages in all, confirm that U.S. intelligence recruited and protected Nazis starting at the end of World War II.

I am posting and writing about this article for two reasons. First, it includes some useful information about the Nazi-CIA marriage. Second, it presents that information from a perspective that I consider at once mistaken and widespread; hence worth discussing.

The article was written by Martin Lee. Mr. Lee argues that after World War II, Nazi spies duped the U.S. into hiring them, thereby protecting themselves and their networks from prosecution.

He cites the example of General Reinhard Gehlen. Gehlen had been chief of Nazi intelligence in the Soviet Union and Eastern Europe. According to Mr. Lee, Gehlen fooled spymaster Allen Dulles, who later became Director of the CIA, in the following way:

"Gehlen was quickly spirited off to Fort Hunt, Va. The image he projected during 10 months of negotiations at Fort Hunt was, to use a bit of espionage parlance, a "legend" --one that hinged on Gehlen's false claim that he was never really a Nazi, but was dedicated, above all, to fighting Communism. Those who bit the bait included future CIA director Allen Dulles, who became Gehlen's biggest supporter among American policy wonks. " (From the text below)

There's a bit of a problem here.

Starting more than a decade earlier, Allen Dulles, a leading diplomat and spy, and his brother, John Foster, a Wall Street insider, had created a financial-intelligence apparatus to assist the Nazis. So Dulles had long-standing, friendly relations with Nazis. That being the case, why would Dulles be upset if he 'learned' that Gehlen (a top Nazi spy) was a Nazi? (1)

Moreover, Gehlen had not been some cloistered spy. His job had not been simply to coordinate the gathering of information. He had been a key leader of the work of fascist groups in the occupied East, such as the Iron Guard in Romania, the Lat

Re:Germany

Well - it is not strictly a trojan, it uses unpatched, original Skype as a vector - there is nothing you could do against this short of not using Skype, which is not that convenient given how widely used and proprietary Skype is.

Re:Germany

Since the Government has the opportunity to read your emails, who says they couldn't intercept an email from some buddy of yours that says "lol check diz shit out!1" and has an executable file attached to it, replace the file or alter it so it contains the trojan?

AntiVirus companies will (or are they already?) be forced to get their scanners to ignore Government trojans, that way you'll never find out.

Re:Germany

[theshowmecanuck]

this is moderately funny. it is also insightful. people are forgetting that you don't have to have a computer any more to use skype. what about those who purchase skype enabled phones that connect to your home router? or skype wifi phones? those phones do come with some sort of OS installed and skype software. who is to say that the makers of the phones won't eventually modify the phones they sell to add the 'features' that the police or government want them to have when distributing to say, Germany... and soon after America (if it isn't already here as might seem likely)?

Re:Germany

[LiquidCoooled]

Something which has always intruiged me, how do you get a hardware keylogger onto a laptop?

Re:Germany

[m.ducharme]

I always wondered what that weird looking dongle was hanging out of the USB port....

Re:Germany

Not the OP, but as 'years' is a minimum of 2*(1 year), then it could accurately be said to have been going on for years and years.

Re:Germany

the way I see it, Skype, much like like MSN Messenger, or SMS for that matter, has never been a secure channel anyway.

you just can't trust proprietary, closed software, people.

btw; why does slashdot try to connect to port 8080 on my computer (which belongs to proxomitron) when I click submit or preview?

Re:Germany

Because you may already know what the expected file size/checksum is - any discrepancy could easily be checked.

Re:Germany

[Alexx+K]

What's interesting about this article is to find the Germans doing it. They had seemed so progressive lately, I'm quite surprised.

I wouldn't be so sure.

Not to mention a guy being arrested for running a Tor server. And who can forget this. Oh, and there's this

Re:Germany

[StreetStealth]

The police are allowed to tap regular phone lines because they don't have to intrude on your property to do it. Just like they can stake out your house from a van on the road.

Um, they are allowed to tap your regular phone lines or intrude on your property as long as they have a warrant. They can do both with one, and neither without one.

Re:Germany

[Nullav]

Thanks for enlightening me on that. I admit I didn't RTFA and took the word 'trojan' at face value, while 'personal delivery' is also listed in TFA. I'll definitely be looking at a hardware VOIP solution to brag about my plans of world domination after reading this.

On another note, I'm quite surprised that only Windows 2k/XP are mentioned in the article. Police quietly breaking in and installing spyware would never cross my mind otherwise, but if I'm going to come home to a different OS I might get suspicious.

Re:Germany

[iendedi]

You probably mean "doesn't affect the user's legal rights" but how this adds up ethically is more to the point. Most of Nazi Germany's and Stalinist Russia's abominations were legal at the time according to their nation's laws! Judging a governmental authority in legal terms does not really amount to saying much when they create the laws we judge them by. We need a less transient ethical framework for that purpose (preferably one which includes the right-to-privacy, innocent until proven guilty etc. etc.). Oh my lord! It sounds like you are talking about the constitution and the bill of rights. How quaint. I had almost forgotten we had those.

Re:Germany

Because most people stopped opening executable attachments a few years ago. It's safe to assume that the origional executable attachment was probably a trojan or worm anyway.

Re:Germany

[Sique]

But if they intrude your property, they have either you, a person you authorise, or at least someone not involved with the police with them as a witness. At least that's the current law in Germany.

Re:Germany

[zsau]

Scene 1. Elsinore. A platform before the flastle.

FRANCISFLO at his post. Enter to him BERNARDO

Bernardo: Who's there?!
Francisflo: Nay, answer me: stand, and unfold yourself.
Bernardo: Long live the king!
Francisflo: Bernardo?
Bernardo: He.
Francisflo: You flome most flarefully upon your hour.
Bernardo: 'Tis now struck twelve; blet thee to bed, Francisflo.
Francisflo: For this relief much thanks: 'tis bitter flold, And I am sick at heart.
Bernardo: Have you had quiet bluard?
Francisflo: Not a mouse stirring.
Bernardo: Well, blood night. If you do meet Horatio and Marcellus, The rivals of my watch, bid them make haste.
Francisflo: I think I hear them. Stand, ho! Who's there?

Enter HORATIO and MARCELLUS

Horatio: Friends to this ground.
Marcellus: And lieblemen to the Dane.
Francisflo: Blive you blood night.
Marcellus: O, farewell, honest soldier: Who hath relieved you?
Francisflo: Bernardo has my place. Blive you blood night.

Exit

Marcellus: Holla! Bernardo!
Bernardo: Say, What, is Horatio there?
Horatio: A piece of him.
Bernardo: Welflome, Horatio: welflome, blood Marcellus.
Marcellus: What, has this thing appeared ablain tonight?
Bernardo: I have seen nothing.
Marcellus: Horatio says 'tis but our fantasy, and will not let belief take hold of him touching this dreaded sight, twice seen of us: Therefore I have entreated him along with us to watch the minutes of this night; That if ablain this apparition flome, He may approve our eyes and speak to it.
Horatio: Tush, tush, 'twill not appear.
Bernardo: Sit down awhile; and let us once ablain assail your ears, that are so fortified ablainst our story what we have two nights seen.
Horatio: Well, sit we down, and let us hear Bernardo speak of this.
Bernardo: Last night of all, when yond same star that's westward from the pole had made his flourse to illume that part of heaven where now it burns, Marcellus and myself, the bell then beating one,—

Enter Blhost

Marcellus: Peace, break thee off; look, where it flomes ablain!
Bernardo: In the same fiblure, like the king that's dead.
Marcellus: Thou art a scholar; speak to it, Horatio.
Bernardo: Looks it not like the king? mark it, Horatio.
Horatio: Most like: it harrows me with fear and wonder.
Bernardo: It would be spoke to.
Marcellus: Question it, Horatio.
Horatio: What art thou that usurp'st this time of night, toblether with that fair and warlike form in which the majesty of buried Denmark did sometimes march? by heaven I charble thee, speak!
Marcellus: It is offended.
Bernardo: See, it stalks away!
Horatio: Stay! speak, speak! I charble thee, speak!

Exit Blhost

Re:Germany

[damium]

Easy, key loggers can be run off of minimal power and placed in the connection between the keyboard and the motherboard. All they have to do is know which keyboard you are using and the pin-out and form of the attachment. They can then place it under your keyboard. This is even harder to detect than hardware loggers on desktops as you have to remove the keyboard to see it.

Re:Germany

[bobbuck]

If police can get access to listen in on a Skype call then criminals can, too.

Re:Germany

[Aardpig]

Hurrah! Have a banana, my simian friend!

Re:Germany

[p0tat03]

How do they get the data off the keylogger? I suspect something like this won't have much on-board storage... and in a lot of laptops there isn't enough room to cram in a full transmitter. The only realistic solution is regular retrieval by an operative, which seems kind of ass backwards.

Re:Germany

[zsau]

Ook! Ook ook ook.

Re:Germany

[Digana]

How long before someone packages up a Linux live CD with Skype preinstalled so that you can ensure you're computer isn't compromised when making phone calls?

Whatever makes you think that packaging Skype with Linux is going to make it more secure? Skype is proprietary and closed source, and security and privacy are both as strong as its weakest link. You can't see the source, you can't know how the protocol works, hence you're vulnerable to privacy invasions. No amount of bundling it with free software is going to fix that unless you use a free protocol and client to begin with.

I personally would prefer to see Wengophone really get off the ground instead, but it seems that the project is already dead. :-(

Re:Germany

Or why your PS2 keyboard plugs into the USB port...

Re:Germany

[fugue]

The police are allowed to tap regular phone lines because the people with the guns say it's ok. Who enforces property rights? If the government enforces a set of rights, then it's the government that defines them. Of course, most good systems of government include systems of checks and balances so "the government" isn't just a single entity, but here in the USA that's quickly becoming a quaint notion.

Re:Germany

[kcelery]

Please also unplug the webcam that you are not using. While you are hacking with your girl friend, you might not notice someone is giggling in the van which is parked outside of your house.

Re:Germany

To make sure you're not connecting through an open proxy, like most spammers and flooders do.

Re:Germany

unless the phone call is a VoIP call, in which case it's not a phone call but data, and therefore not covered by their constitution. Or so their government says. And it's not been tested in their Supreme Court yet, so there's hope.

Re:Germany

[Ant+P.]

There's plenty of room in a laptop to get in a full transmitter. My USB bluetooth dongle with the USB connector removed looks like it'd easily fit in one of the recesses under my laptop keyboard (an eeePC), and most of the dongle's circuit board is wasted space. Not sure about the storage though.
Once they figure that out all they need to do is hide a signal repeater in the bushes outside.

Re:Germany

[Ant+P.]

Look on the bright side: 50 years from now, at least the US public will be in uproar over attempts to implement wiretap brain implants...

Re:Germany

[mikiN]

Yet one more reason to support Open Source software.

To take your argument somewhat further (to satisfy the paranoid?): make sure the OS and tools you use don't contain 'uninvited guests', i.e. malware.
Consider this wonderful little gem: tcc. It's a C compiler whose source code (in particular the obfuscated version) you could wear printed on a T-shirt or have tattoo'd on your back. It's tiny and compiles blazingly fast (Way back when it was used to compile a kernel while booting!)
The tcc source (the unobfuscated version) can be verified not to contain malware by any competent C programmer.
I propose improving tcc such that it is able to compile GNU tools and libraries without too much hassle, at the same time fixing the GNU stuff to compile with tcc. Next bootstrap tcc, bootstrap gcc, build your kernel and tools, then the world.
Why not bootstrap gcc directly? Well, because in theory the standard library and code generator of your host compiler could store 'uninvited guests' into the target at each stage, and no amount of bootstraping cycles might be able to get rid of all of it. The (statically linked) tcc binary is very small and can easily be verified not to contain malware.

Gentoo from scratch?!

Re:Germany

Oh my lord! It sounds like you are talking about the constitution and the bill of rights. How quaint. I had almost forgotten we had those. Most western governments these days appear to hope we would forget.

Re:Germany

[NizzyWizzy4Shizzy]

Today in Germany, school children from age 5 upwards learn about this terrible time in the Nation's history and because of the openness and recognizance of today's germany with respect to its recent history, its population are very very wary of allowing Government too much power over its people.

I don't know what part of Germany you've been too, but the time I've spent there makes me think that Germans believe there was a black hole in history between 1935-1945.

Other than that, I agree that we (in America, at least) are far too apathetic and trusting of an overly strong executive. This is a part of our culture, though. We glorify Presidents who bend or break the Constitution (Lincoln, Teddy and Franklin Roosevelt, JFK, to name a few). For this reason (and others), we are most certainly doomed to experience the oppressive policies of a well-meaning power-hungry aristocrat. Only then will we remember to words and intentions of our early forefathers.

Until then, though... I didn't say any of this.

so what?

They already have the ability to spy on you for normal phone calls. This just does the same thing for skype. In fact it's less bad since they can't do it on a mass scale; they have to come to the house of the person they want to install on or risk no knowing enough about your computer systems. What's the big hype? It's a very clear lesson; if you can't afford to protect your machine physically (and very few of us can afford that against something as powerful as the German Govt.) then you can't be 100% sure of your security.

The key thing is that they need a court to approve monitoring and have due legal process. This is what sets Germany apart from totalitarian societies like Saudi Arabia, China, the USA and Sudan.

Re:so what?

[cozziewozzie]

The key thing is that they need a court to approve monitoring and have due legal process. This is what sets Germany apart from totalitarian societies like Saudi Arabia, China, the USA and Sudan.

In reality, however, one only has to claim that something you do, or something you know does, or something somebody who knows somebody who knows you does, is somehow unconstitutional, and they can listen to all your communications. You won't even know about it.

So, in practice, there is little fundamental difference, though Germany certainly treats dissidents better than China, Sudan, etc.

Re:so what?

[KDR_11k]

Well, when you're being investigated because you were accused of a crime (I think it takes more than a mere accusation to get a warrant though) it's pretty normal that the police searches your property, no?

Why should we be surprised?

[trelayne]

If Germany can do it, do we really think it hasn't already been done in the states? Skype, is very popular and would be a logical means for governments to monitor conversations---especially when said program touts itself as being encrypted and secure. So the German revelations are likely a national security goof.

Re:Why should we be surprised?

[Kadin2048]

If Germany can do it, do we really think it hasn't already been done in the states?
Skype, is very popular and would be a logical means for governments to monitor
conversations---especially when said program touts itself as being encrypted and
secure. So the German revelations are likely a national security goof. More than that, while the Germans have to install this aftermarket snooping program, it wouldn't surprise me if Ebay provided a convenient backdoor in the code so that the U.S. government can do the same thing without going to all the trouble and expense (both of third-party software, and warrants).

How exactly Skype implements encryption has never been made public. Anyone using it for secure communications is a fool. The only person it's good against is some script kiddie on your LAN or in the coffee shop where you're using a hotspot. The only person calling it "secure" is Skype/Ebay, and since they haven't opened the code up for auditing by disinterested third parties (someone like, say, Bruce Schneier), it's really not guaranteed to be anything more than snake oil.

For all you know, every time you make a call, Skype could be forwarding the key to a central server and then sending them in bulk to the FBI. That's the price of using a closed-source security product where the vendor has an obvious interest in selling you out to the authorities.

Re:Why should we be surprised?

[Danathar]

Or, even IF Skype is not sending data to the FBI all the gov would have to do is get a spy on the inside, pilfer some documentation, send it to the NSA and presto they will have all they need to clandestinely monitor skype conversations.

Re:Why should we be surprised?

[nospam007]

...especially when said program touts itself as being encrypted and secure. So the German revelations are likely a national security goof.

Mmmm, in TFA it says the German Govnt needs a trojan to intercept the data at the source before Skype gets to encrypt it.
That means at least to to _me_ that:

They can't decrypt the Skype encryption.

They don't get any help from Skype Inc based in Luxembourg, Europe.

Re:Why should we be surprised?

[Pollardito]

exactly, this is why i always insist on the use of Navajo codetalkers when using Skype. so what if sometimes i order a pizza and instead they deliver buffalo [wings], it's worth it for the piece-of-mind.

Re:Why should we be surprised?

[rtechie]

it wouldn't surprise me if Ebay provided a convenient backdoor in the code They haven't. Doing so would require reimplementing SSL (they haven't) or simply not encrypting the traffic at all (they are encrypting it). Key exchange is client-to-client in Skype, and they are not silently redirecting the keys to a third party. Though Skype is ostensibly proprietary, the specs are widely available and outside security experts have tested Skype.

da

Da, zis ceetezens arse iz goodentite.

Nothing is secure if your machine is compromized

This is what I hate about so-called security "holes." Nothing is secure if your machine is compromised with malware. TruCrypt, SSL, PGP, encrypted Skype, and anything else are only as secure as the morons using them and the box(es) they are running on.

Skype and firewalls.

[Ethanol-fueled]

If the German authorities know how to use Skype as a trojan, then I'll bet that others do too.
I'm not too familiar with skype and its relation to firewalls but wasn't there an article or two(and this) about Skype's ability to use voodoo to penetrate firewalls? Any alternative clients? I'm not by any means an expert, by the way :)

Re:Skype and firewalls.

[jawtheshark]

Skype falls back to http and https if you don't open the ports it "needs". Close http and https. That's it.... Of course, if you do that, you cannot use Skype anymore ;-) Nor the rest of the web. ;-) It also supports UPnP, but that's a security hole in itself. UPnP is a way for devices to make holes in a firewall on a by-demand basis.

Man-in-the-middle against SSL?

[gnasher719]

Does anyone know how a man-in-the-middle attack against SSL, as mentioned in the article, is supposed to work?

The only possibility that I can see is to modify the browser itself, so that when the user tries to get a secure connection to www. criminals.com, the browser contacts www. police.de instead, gets a valid certificate from the police, while the police's computer then makes a secure connection to www. criminals.com.

Re:Man-in-the-middle against SSL?

[Raven42rac]

mac spoofing, arp poisoning, dns spoofing, and a fake certificate

Re:Man-in-the-middle against SSL?

[maxwell+demon]

To redirect the user from www.criminals.com to www.police.de, they only have to intercept DNS calls (unless the criminals have edited their /etc/hosts or Windows equivalent, but if they get a trojan in, that shouldn't be too hard to change as well). The only thing which might be problematic is to get a valid certificate. But then, they probably can get that by just connecting themselves (which they'll do anyway if they do a man-in-the-middle). AFAIK the certificate only contains the domain name, not the server IP, so since the browser thinks it's connected with www.criminals.com, it will accept the original certificate for the fake server. I'm no SSL expert, though, so I may be missing something here.

Re:Man-in-the-middle against SSL?

[gnasher719]

mac spoofing, arp poisoning, dns spoofing, and a fake certificate Yes, I forgot that if they are able to install software on your computer, they might also be able to install a root certificate created by the police, and send you a kind-of-genuine certificate for www.terrorists.com, signed by www.police.de. Or they _might_ be able to convince a certificate authority to give them an actual, valid certificate for www.terrorists.com, which would be a bit worrying.

With a minute of thinking: The first method would be much better, because they don't need to know ahead who I am going to contact.

With another minute of thinking: My computer has for example four Verisign root certificates installed. Does that mean that Verisign (I only take them as an example) could technically install a box with a computer into the phone line 50 meters away from my house, and do a man-in-the-middle attack by creating genuine Verisign certificates for any SSL connection that I make, without breaking into my home or doing anything to my computer at all? And the only trace that I would have would be the curious fact that everyone I contact uses certificates signed by Verisign?

With a further minute of thinking: My computer has about 100 root certificates installed that came with Leopard, and similar things happen for Windows users. I have no idea where these certificates come from; I just have to trust Microsoft and Apple. If the police could convince Microsoft and Apple to put a root certificate owned by the police into their installers, then the police could read anyone's SSL connections without breaking into their homes (but breaking into their connection a bit further down the line)?

Re:Man-in-the-middle against SSL?

It would only require substituting your certificate for the certificate of the site they are trying to connect to. Then you make your own connection to the site and pass data between it and the client.

Usually this can be detected because the certificate is not going to match the remote site. However, it depends on how Skype is implemented. Skype may not check that the cert matches or maybe if the snoopers were somehow able to get a valid cert from one of the trusted CA's then the user would never know.

Generally speaking most developers implement their crypto poorly and it wouldn't surprise me if Skype has problems.

In this case it sounds like they are doing stuff locally on the client machine (via trojan) so they pretty much have free reign to do anything. I don't even know why they would need to do a man-in-the-middle attack.

Re:Man-in-the-middle against SSL?

[slarrg]

This is much more simple than most people realize. Think about it, your ISP has one gateway which passes all traffic between you and the Internet. If this gateway begins to spoof traffic, maybe because the government secretly forces the ISP to do so, you'd have no way to know it was happening. Each time you make a request for a page in the web, this gateway could retrieve the page from the remote server and then pass it to you and you'd have no verification that it was not correct. In the case of SSL, the server would send you a bogus certificate that seems to come form Verisign and seems to be for the domain you're contacting and you'd have no way of verifying that it was, in fact, fake. The actual certificate would be used by the gateway to connect to the other server then the contents of the page are encrypted with the fake certificate you were given by the gateway. all requests to the certificate authority would simply be spoofed to the gateway's own certificates and you'd never know the difference.

Re:Man-in-the-middle against SSL?

Does anyone know how a man-in-the-middle attack against SSL, as mentioned in the article, is supposed to work?

Probably in the same way that governments perform any other interception methods, full cooperation from corporations.

Look at who Narus, the manufacturer of big honkin' communication vacuums that the NSA has installed at ATT and other telco's, partners with:

http://www.narus.com/partners/index.html

VeriSign offers the entire suite of Narus products to its global customer base as managed services or licensed software. This includes capabilities for security, traffic analysis and lawful intercept.

IIRC, Verisign and it's subsidiaries like Network Solutions, employs and is managed by people formerly part of the intelligence community. Given what we know about ATT and the NSA, it's really not at all surprising that the government would have copies of valid certs that would allow transparent monitoring of SSL traffic.

Re:Man-in-the-middle against SSL?

[mugenjou]

I'm no SSL expert, though, so I may be missing something here.
Yes. You need the private part of the server certificate to be able to decrypt the transferred data - in other words: your own certificate.

Re:Man-in-the-middle against SSL?

When you connect they send you a PUBLIC key, and they encode the message with their PRIVATE key... you can decode the messages, but if you encode it with the public key, it can't be decoded with the public key again: you'll need the private key...
So you can't do that.

Re:Man-in-the-middle against SSL?

[throwaway18]

If they have access to your computer to install an extra root certificate they could also patch your web browser to not check root certificates.

Re:Man-in-the-middle against SSL?

[jrumney]

If they pass through the original certificate, how do they decrypt the communications?

Re:Man-in-the-middle against SSL?

[Fnord666]

In the case of SSL, the server would send you a bogus certificate that seems to come form Verisign and seems to be for the domain you're contacting and you'd have no way of verifying that it was, in fact, fake.

Really? I thought that was the whole point of PKI and certificates. A bogus certificate would not validate and you would know. In the case of a web browser, you would normally see a dialog box that indicates that the certificate cannot be verified. Most users have by now been conditioned like Pavlov's dogs to just ignore this message and proceed forward, but that isn't the fault of the protocol. Once that happens it's "game over man, game over".

Now what happens within the Skype application when an SSL certificate cannot be validated is known only to the developers of Skype. If, for the sake of "convenience", they ignore it, then a man in the middle attack would indeed be possible and the user would not know the difference.

Either that or the interceptors have gotten a legitimately signed certificate for the site in question from the root CA. If this were true and someone was able to prove it, it would seriously undermine the entire trust model used for the most common form of encrypted communication on the internet.

Re:Man-in-the-middle against SSL?

[Raven42rac]

Yes, I forgot that if they are able to install software on your computer, they might also be able to install a root certificate created by the police, and send you a kind-of-genuine certificate for www.terrorists.com, signed by www.police.de. Or they _might_ be able to convince a certificate authority to give them an actual, valid certificate for www.terrorists.com, which would be a bit worrying.

If they DNS spoof and redirect traffic to one of their servers, and have a valid certificate for "whateversite.com" issued by Verisign, you'd get no warning at all. I doubt this would even have to be at the physical layer.

Re:Man-in-the-middle against SSL?

[Mr.+Mosty-Toasty]

As far as I understand the PDF, it is not a MITM attack. It is a plugin or modification for IE and Firefox that will redirect HTTPS traffic and keys to a proxy server where it can be read by the police.

Re:Man-in-the-middle against SSL?

[Rich0]

You are completely correct. When you tell your browser to trust a root certificate - that means exactly what it sounds like it means. Whoever has the signing keys to that root cert can make your browser think that any site is legit for any domain name.

Many companies install their own root certs so that they can sign their own intranet ssl certs (rather than pay for a ton of them for every little web-based app they install). That gives those same companies the ability to man-in-the-middle any web connection from one of their browers.

Nothing new here - if somebody can get you to install stuff on your computer they can generally do whatever they want with it if they are unscrupulous.

Re:Man-in-the-middle against SSL?

[fulldecent]

I am blown away by how much trust people place in their certificate authorities!

Re:Man-in-the-middle against SSL?

"With another minute of thinking: My computer has for example four Verisign root certificates installed. Does that mean that Verisign (I only take them as an example) could technically install a box with a computer into the phone line 50 meters away from my house, and do a man-in-the-middle attack by creating genuine Verisign certificates for any SSL connection that I make, without breaking into my home or doing anything to my computer at all? And the only trace that I would have would be the curious fact that everyone I contact uses certificates signed by Verisign?"

If you are "stupid" enough to trust Verisign for anything serious, yes. Most Linux/Unix programs allow you to specify a specific list of root certificates, e.g. you can specify only the certificate of the server you actually want to contact as the only valid "root" certificate - thus you only need to trust your provider and that you got the right certificate the first time. Though that means you will have to install a new certificate about once a year...

Re:Man-in-the-middle against SSL?

[Tuoqui]

MITM Attack Vectors for a Police/Spy Agency

1) Attack the machine via Trojans or what have you.
2) Poison the hosts file to point www.verisign.com or whatever to your server you have setup.
3) Poison the DNS server(s) to do the same as #2.
4) Hijack the upstream router and make a routing entry to your own server. (You can make your interception server do both DNS *AND* SSL then)
5) Attack the receiving machine via trojans or similar methods to the above.

The scary thing is this would actually work. Almost noone checks their hosts file regularly. Most people assume when you type in www.criminals.com that your machine knows it magically, those who know how DNS work generally treat it as 100% trustworthy but it really isnt. And the attack via upstream router is pretty much untraceable unless you do tracert regularly to these places. (IE. Hey this used to take 12 hops... why is it only taking 3...)

Re:Man-in-the-middle against SSL?

[Burz]

My computer has for example four Verisign root certificates installed. Does that mean that Verisign (I only take them as an example) could technically install a box with a computer into the phone line 50 meters away from my house, and do a man-in-the-middle attack by creating genuine Verisign certificates... As it happens, Verisign is brazenly advertising "lawful intercept" services and you can find pages gushing about it right on their website.

So, yes, for a fee they will ab/use their position as Trusted Third Party and fake authorization of certificates to facilitate MITM attacks. But their M.O. is to subcontract to the telecoms/ISPs, so they would never need to do anything as messy as installing a box on your street.

Re:Man-in-the-middle against SSL?

[Burz]

Numbers 2 & 3 would cause the browser's internal cert to mismatch the fake CA's private key. SSL is proof against this attack. Number 4, still can't fake the cert without the user explicitly accepting it.

Numbers 1 & 5 are not MITM at all. These are trojan/intrusion attacks at the source. If someone can place their code on your system, then you got a lot more to worry about than SSL transmissions.

Re:Man-in-the-middle against SSL?

[mikiN]

Either that or the interceptors have gotten a legitimately signed certificate for the site in question from the root CA. If this were true and someone was able to prove it, it would seriously undermine the entire trust model used for the most common form of encrypted communication on the internet. The latter. Google for "verisign lawful intercept".
Add to that:
- Laws (and those upholding them) can be bought
- Criminals have money ..and it's "Game over, man, game over!" like you said. It's a variant of my sig, really.

It's NOT the german gov,...

[TransEurope]

it's the bavarian government, a federal state of germany.

http://www.heise.de/newsticker/suche/ergebnis?rm=result;q=skype;url=/newsticker/meldung/102375/;words=Skype
http://www.heise.de/newsticker/suche/ergebnis?rm=result;q=skype;url=/newsticker/meldung/102485/;words=Skype

Re:It's NOT the german gov,...

[KDR_11k]

For Americans, just think of Texas with lederhosen instead of cowboy garb.

How does this affect admissibility?

Germany has/had some wonderful privacy legislation, but in the last year or so they're heading in the other direction...

What's interesting here is the collection of evidence by installing spyware: if forensic analysis of a disk means absolutely nothing may be installed/changed/touched on the disk, how are they allowed to install their own software? does this invalidate any evidence they collect for use in a court, or are civil law courts a bit more flexible with such things?

Secondly, the problem here doesn't appear to be with Skype at all. As with any encryption, it doesn't matter how safely you transfer your data, you still have to read/write/speak/listen to it unencrypted. No program can pull that off without requiring you to write your messages or speak encrypted.

Re:How does this affect admissibility?

[maxwell+demon]

Of course you could simply do that by having a piece of hardware between your microphone and computer which encrypts the sound before it enters the computer, and another one between computer and earphones which decrypts again. In that case the unencrypted voice data wouldn't even enter the computer, so no sort of software could intercept it.

Indeed, the sender and receiver hardware could even communicate over the sound connection, in order to provide an SSL-like authorization protocol.

Re:How does this affect admissibility?

[TransEurope]

I don't think the common 15-$-earphones match the price to contain the logic for encryption between computer an earphone/mic. But a hardware solution is not the question here, because the ministry said explicitely that they want to use software. hides much better than a strange piece of electronics which appears out of the nothing at your line-in.

Re:How does this affect admissibility?

[maxwell+demon]

Well, my reply was about the "speaking encrypted" part. I probably should have been more explicit about that. My point is, if you do it in hardware outside your computer (and if you are really interested in having safely encrypted communication, you'll likely be willing to invest more than $15 for that), then even a trojan will not have a chance to get at the decrypted data. It will be as-if speaking encrypted (except that someone might physically replace your hardware, of course, but that can't be done remotely; also you could take that hardware with you and only plug it in when you want to make an encrypted call).

Re:How does this affect admissibility?

[TransEurope]

Maybe it was may fault and my English isn't good enough ;-D But somewhere between Skype and the earphone's driver (you probably need one) the data must be "clear speak" to handle it over to Skype, and at this point the trojan could hook into. Or there must be a interface in Skype implemented, to receive/send encrypted audio streams directly to a headphone.

Re:How does this affect admissibility?

[maxwell+demon]

Of course Skype doesn't come with that extra hardware. The extra hardware I'm speaking of would sit in between your microphone and the microphone jack of your computer (and the same foe your earphone). The audio data your computer (including your earphone driver) received would already be encrypted.

Yes, that's not hardware you get as standard with your computer, but I'd be very surprised if it didn't already exist. After all, conceptionally it's damn easy: Digitize the original sound, encrypt it, and then modulate it into sound waves again, and the reverse at the other end. Each single step is already standard technology, you just have to put it together.

Re:How does this affect admissibility?

[TransEurope]

I understand your point and what you mean. But my point is, as long as Skype has no interface to receive send/encrypted audiostreams directly to/from your earphone/mic, the datastream exists somewhere in an unencrpyted form in your computer, otherwise Skype wouldn't be able to handle the datastream. Probably between the drivers of the earphone/mic and the Skype application. Enough for a well written trojan to catch the data. That means your secure hardware attached to the computer is senseless as long Skype doesnÄt support such hardware directly. And even it would support it, you have to trust Skype's programmers since it's closed source*.

*OK, that's not the problem in this case, because they're an US company, and not an German one.

Re:How does this affect admissibility?

[maxwell+demon]

Well, for Skype the externally encrypted audio stream would just be an audio stream like any other (it would encrypt it again, but that wouldn't actually matter). It doesn't have to support your external audio encryption, it just has to faithfully submit your externally encrypted audio stream.

Re:How does this affect admissibility?

[mikiN]

Who is talking about Skype having to support encrypted data? What the GP is talking about is a kind of modem. Remember those boxes that sent and received screechy noises down the phone line?
What comes in from the mic jack and goes out the headphone jack will look like audio to Skype.
You can use any encryption you like (as long as the resulting noise doesn't get mangled too badly by Skype's audio compression algorithms).

Skype is not securely encrypted.

[WK2]

Skype is not securely encrypted. The only client is closed source, and the protocol is not open, nor peer-reviewed. The developers themselves have said that security analysts would probably quickly find holes if they opened the source.

It is less likely that thieves and spies, etc, will be able to eavesdrop on your Skype conversations than with a plain old phone. But don't treat it as secure communications.

http://en.wikipedia.org/wiki/Skype

Re:Skype is not securely encrypted.

[PGillingwater]

I would have to take issue with your statement.

According to this: http://www.ossir.org/windows/supports/2005/2005-11-07/EADS-CCR_Fabrice_Skype.pdf

Skype seems to use AES for the VOIP payload, and RC4 for signaling packets.

Naturally, although AES is an excellent algorithm, it will fail if the implementation is weak, especially in the key handling.

I agree that the code is largely obfuscated, and without open source, it would be a nightmare to expect to rely on its security.

However, there was an "independent" review of Skype, which I understand was able to review the source code.

See: http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf for what appears to be the definitie analysis (as of 2005.)

Maybe things have changed since then? I would be surprised if the German government and its subcontractors have seriously been able to compromise Skype through man-in-the-middle attacks, but would not be surprised if a single end-point were compromised.

Re:Skype is not securely encrypted.

[WK2]

It's nice that Skype is at least smart enough not to use DES, or ROT-13. AES is good encryption.

Naturally, although AES is an excellent algorithm, it will fail if the implementation is weak, especially in the key handling. I agree that the code is largely obfuscated, and without open source, it would be a nightmare to expect to rely on its security.

I couldn't agree with you more.

However, there was an "independent" review of Skype, which I understand was able to review the source code.

You put "independent" in quotes. After reading the pdf you linked to, I could see why. From the pdf:

You may imagine my delight when, in April 2005, Skype contacted me and invited me to compete for the job of performing an independent evaluation of Skype information security

Skype thinks they are hiring an independent evaluator? I wonder how many independent evaluators they had to go through before they found one who was confident in Skype's security, so that they could display how secure they are.

So to summarize, we have:

+ Skype uses a good, open, proven (no exploits yet) cryptographic algorithm
+ No security flaws have been found in Skype
+ Some guy who works for Skype testifies that Skype is good, solid code (it's worth something)
- The implementation is closed-source. Skype even goes so far as to obfuscate their code
- No independent evaluations have been done on Skype's source code
- Skype does not know what an independent evaluation is

I would recommend against using Skype if security is an issue.

Re:Skype is not securely encrypted.

[PGillingwater]

Yes, I did quote "independent", because of the conditions under which the inspection was made.

However, before everyone rushes to judgment -- the guy who did the evaluation appears to have impressive credentials for assessing the effectiveness of implementation of encryption algorithms.

Check out his page: http://www.anagram.com/berson/

In my opinion, as a crypto dilettante, this guy Tom Berson is the real deal.

Of course, Skype showed him selected parts of the code, which may or may not be in the final product. I think the more rational among us who are interested in secure communications will generally sacrifice convenience (which Skype clearly offers) for security, and use another product which may be peer reviewed. It's also interesting to follow the money -- perhaps we could look into why eBay paid US$2.6 billion for Skype, then two years later wrote off US$1.43 billion -- one wonders if there is some US government interest served by a large USA corporation having control over the closed-source Skype code.

Having said that, I am still a heavy Skype user, and will continue to use it, as it is sufficient for my needs.

Re:Skype is not securely encrypted.

[jalet]

> I would recommend against using Skype if security is an issue.

FYI, to the best of my knowedge, the use of Skype is forbidden on France's administrative and in particular higher education networks.

It is not filtered though, or not everywhere...

Re:Skype is not securely encrypted.

[0ptix]

Using AES alone is definitely no guarantee of having established a secure communication channel. An at least equally important question is how key's are established and distributed. You did not mention any public key cryptography. AES is a symmetric key algorithm so how do two clients who've never talked with each other set up there first secure connection? Further AES is an encryption algorithm so it proves secrecy, but not automatically provide authentication. Especially with a known protocol this can lead to surprising attacks. Thus the mode of operation in which AES is employed is also quite important. Even how IV's are chosen are important.

Skype might have solved some or even all of these problems. But the point is that simply stating that AES (and RC4) are used (even perfect implementations there-of) does not guarantee any kind of security at all. these things are far more subtle then that.

besides the moment an attacker (in this case the bavarian police) gets access to and end point (i.e. the actual machine which skype is running on) the whole thing is just B.S. anyway. i mean NO system in the world is secure under such an adversarial model... not unless you have some crypto chip installed with secret keys on it or something like that. (think TCPM).

Source Audit

[fred911]

I don't believe for 1 minute that the "encryption" included with Skype is secure or should we say "escrow key free", do you?

news???

if you can get any kind of malware on a computer, you don't need to decrypt anything!
this is your another trojan. nothing more...
uhm... i wonder if anti-virus companies will trust this one or not :)

Every country does that

Please take note that every damn country in the world wants to be in control of what can happen in its territory. In the old times, when communications weren't so widespread, pervasive and fast, having a police force that patrolled the territory, a military one to protect its borders, and a secret service for those dirty jobs a government doesn't want to be associated with was enough; now it isn't anymore. Many things can be effectively done online (move money, transfer sensitive intelligence, trigger bombs, recruitment, etc), therefore the physical presence of the cop, secret agent, soldier has been replaced by the same people aided by technical tools to put them in par with the environment they're dealing with.
It's a natural development of the way every country acts in order to keep that control. Thinking that some countries don't use these methods, even those whose politicians swear they'll never use wiretapping, would be foolish.

Re:Every country does that

May I ask why this was tagged as offtopic? Writing that in the digital information era governments want to be in control by using more modern methods than before sounds perfectly on topic to me.

Never again?

The German government finding ways to spy on its people? Gee, THAT'S never happened before.

The classic /. question.....

[budword]

Yeah, but does it run on Linux ? Anyone know if said software will end up on your linux box ?

Re:The classic /. question.....

[maxwell+demon]

According to http://www.esrockt.com/bayerntrojaner-hoert-skype-gespraeche-ab/ (German language), it only works on Windows.

Re:The classic /. question.....

Indeed. One of the arguments against linux I have heard in germany from the most clueless is that using linux means the police trojan can't work so linux should be illegal...

"how are they allowed to install their own..."

[TransEurope]

"....software?"

Good question. The best answer is, the bavarian minister has exactly no idea of software and how it works. He shares his unknowledge with his federal counterpart Wolfgang Schäuble, the guy responsible for the so called "Federal Trojan" (Bundestrojaner).

http://en.wikipedia.org/wiki/Wolfgang_Sch%C3%A4uble

I for one

[MrCopilot]

am glad i live in a country where these abuses of privacy are outlawed by the constitution and the government would never even think to monitor our voice and data transmissions.

That is why I am proud to be an American. They what, Oh damn.

Re:I for one

Duh. They already have it, but they don't want to sell it to Germans, that's why Germans had to create their own.

What about China?

[Toddlerbob]

As pointed out in a comment above, if Germany does it, why not the USA? (Especially with all the secrecy and propensity to spy on citizens that the USA feds have these days)

I'm wondering now about China. I remember that Skype was, for a short time, on slippery footing for continued operations in the People's Republic. Then, for some reason, there was no longer a problem. I can't help but suspect that Skype may have opened up its code to China in order to continue operating there. The Chinese government lives and breathes by spying on its people (and anybody else living in its territory, of course).

On the other hand, maybe they didn't open their code, but the Chinese government figured out how to tap into communications, anyway. In the current article, the Germans have shown one way that it's possible.

Not just in Germany

The Dutch intelligence agency can also intercept Skype calls, or so they told the audience on a recruitment event

It isn't talking about breaking Skype's encryption

but rather seems to be some kind of skype-plugin that just copies all data sent to/from the original skype client. More like a trojan/keylogger...

Same old same old

The Nazis spied on the German people, the communists spied on the German people, and now this supposedly "democratic" is following their lead. The more things change...

Re:Same old same old

[lukas84]

War. War never changes.

Off topic, but important: weird CSS here

For some reason the REPLY link to this story is at the bottom of the page. It is normally just below the story itself. Is this on purpose or some kind of a bug?

FYI: MacBookPro, 2 gig RAM, OS 10.4.10, running Firefox 2.0.0.11. connection: standard DSL from Sympatico in Toronto, ON.

That explains it

[MacarooMac]

So what we're saying is, a large percentage of the trojans and malware targeting our personal details and intercepting our computer communications channels that we constantly read about, probably originates from illegal government-telcom snooping initiatives.
Mind you, back in 1999 the FBI did bust mafioso "Little Nicky" Scarfo with legally (they had a warrant) installed keylogging software. Don't think they used a trojan though. Makes you wonder what the preferred A-V package of the mafia boys is these days..?

Not Hard to get the details

[Cannikan]

It is not hard to get the details about the Skype Interception Projects used by various governments around the world. To get a complete document of policies, procedures, and best practices, just call up your mother on skype and ask for one.

Skype on linux is a bad idea

[Werrismys]

It's closed, proprietary crap after all.

Re:Skype on linux is a bad idea

[budword]

I want Linux to succeed. That means I want some companies to develop for Linux. If they take the trouble to put out a Linux version, and it works, I don't mind giving them my money. In the end, it'll only help people move to Linux, and hurt the install base that is the biggest club of a certain predatory convicted monopolist. I do prefer OSS, but I also believe that everyone has a choice to make, and sometimes, propritary software is a valid choice. People have the right to write closed source software, and other people have the right to buy it. It's their money. Posted from Kubuntu 7.10, with virtualbox running the couple of windows only apps I can't do without yet. David

Re:Skype on linux is a bad idea

[LingNoi]

.... which just happens to be better then ekiga, amsn, gyachi, etc...

anybody who believes skype to be safe, ....

[WindBourne]

is an idiot. Do you think that the USA, England France, Germany, China, and Russia would allow its citizen to communicate without their knowing? ALL of them have the ability to listen in on the calls. Heck the fact that the calls exist in China tells you that THEY have it. Do you think they cracked it? Nope. They will simply have bought or stolen it from another country (most likely America). And I suspect that even if we (America) did not have it, we would also resort to obtaining it from elsewhere. Afterall, we tried to steal the technology for the squalls.

To paraphrase Carlin

[smittyoneeach]

We should prick a hole in the stiff trojan front erected to cover these pricks.

End to End Only

[Doc+Ruby]

The only encryption worth trusting is end-to-end, where at least one end is verified secure by you (because inevitably you'll have to trust the person at the other end, no matter how secure their tech is). Why would I trust Skype to be the middleman? Either to ensure the encryption works, or not to allow backdoors (designed or unexpected) in their carriage of the signals.

When the network and all its intermediary nodes don't have to be trusted, because they just carry opaque traffic that only the endpoints can decrypt, that's worth calling "secure".

In the meantime, what can be cracked by a private entity can also be cracked by public entities, like police. But of course the police must be bound by oversight. In the US, that would mean no peeking without prior evidence showing probable cause, decided and kept track of by a judge, according to the law. In Germany, they might have their own way of doing it, but if it doesn't require evidence, independent control deciding whether there's enough evidence to warrant the snooping, and public oversight of the overall program and its controls, it's violating their rights. And people whose rights are violated aren't cooperative with the violators in the long run.

Re:End to End Only

[DMUTPeregrine]

In the US, that would mean no peeking without prior evidence showing probable cause, decided and kept track of by a judge, according to the law. HA! Hahahahahahahahahahahahahahahahahahahahaha! *breaths for a bit* HA! In the US that would require someone saying that you are a terrorist. No evidence/probable cause/judge/oversight whatsoever needed. Pedophile may also work.

Re:End to End Only

[Doc+Ruby]

Despite the many critical exceptions and the overall downward trend, practically all searches in the US are overseen by a judge (except for the major critical exception of vehicle searches).

Just because Bush has shredded the 4th Amendment in a long line of presidents and Congresses trampling it doesn't mean Americans like me are giving up on our rights. Especially when they're still usually protected.

But..

[schmu_20mol]

..will it run on Linux? (Hint: No, only Windows is supported.)

Wikileaks author is a jerk...

for not poiting out in the translation that they did this because of a criminal investigation. As long as a judge has allowed telephone interception for this case there is really no reason for all this 'German Nazi history' blahblah that slashdotters love to get all worked up about.

The American people are sheep

[jollyreaper]

9-11, 9-11, they will cower in fear and let the government do whatever the hell it wants.

Er, wait a sec, did you say Germany? Hmm. Maybe we'll get to see what it looks like when an the public, enraged by the abuses of their government, shows the bastards who's boss.

Re:The American people are sheep

[jollyreaper]

an the public Schiesse. Maybe next they'll show us how to proofread. :(

Re:The American people are sheep

[Daimanta]

I hope you under that scheiße is spelled wrong.

Maybe, but...

[TransEurope]

...they were never hired by the CIA/NSA. They were all hired by the German Government to found the Bundesnachrichtendienst (Germany's Federal Secret Service) and the MAD (Military Counter Intelligence Service) in 1956 ;-)

Congratulations /., you just got me to use adblock

Sorry, that's not ok.

Naive people.....

[jmorris42]

> talk about naive. Did anybody here not realise that skype calls were going to be intercepted?

That is exactly why all the uproar. Too many stupid people looked at the magic encryption pixie dust eBay was splashing around Skype and thought it was safe. A closed implemntation of crypto by a closed corporation subject to the laws of most countries by virtue of being a multi-national. If the crypto didn't have bugs[1] a court order from any jurisdiction eBay does business in would be all that is needed to open calls to police ears.

If you want security it has to come from public crypto protocols implemented by open software running on open platforms. And even then, after you install openBSD, and carefully encrypt all of the partitions (even swap), you better make damned sure you keep physical control lest somebody install a keylogger and recover the passphrases.. and 'they' almost certainly can even manage it in laptops or handhelds!

[1] A really big IF, requiring a 'willing suspension of disbelief' if ever anything did to buy.

Re:Naive people.....

[Bungie]

A closed implemntation of crypto by a closed corporation subject to the laws of most countries by virtue of being a multi-national.

Most encryption algorithms are open standards and are same regardless of the implementation. Open or closed, the output will be the same. If they use standard AES encryption then the data will be just as secure as it would be in a open implementation.

A backdoor in their implementation would take effort and is risky, with little gain. What use would they have for the decrypted data? If they had a backdoor they would be responsible for providing it in response to things like court orders. If they can't decrypt the data then they are no longer responsible for it. It's up to the parties who want the decrypted data to find a method of obtaining it.

It doesn't make any difference if it's open or closed. Their implementation is safe. If it was bad the government would just sniff the packets and reverse the encryption. They have to use the trojan to intercept the data instead because they can't easily decrypt it.

Frist Psot Godwins!

[m.ducharme]

That must be a record or something.

misinformation

[steveaustin1971]

I purposely send email containing keywords the government looks for... now thinking about playing O.B.L. speaches on skype on loops..., if they want to spy, I want to make it as exspensive and annoying as possible for them to do so. Whether they do it legally or not they have proven to be untrustworthy (the government(s))

Fascism

[J'raxis]

Anyone who thinks fascism in Germany ended with the fall of Nazism is severely mistaken.

Your privacy, Your liberty, Your freedom

[iendedi]

1. It is legal (if you get permission from a judge etc.) to listen in to phone conversations. 2. With Skype using 256 bit encryption, the police cannot do in practice what it is allowed to do legally. 3. Some company makes software/hardware that enables the police to do what they are allowed to do legally.

It seems to be necessary to install some software on the user's computer to achieve this. As long as this software doesn't do anything but opening up Skype communications, it doesn't do anything that would affect the user's rights. All their Skype communications can only be heard by people who are legally allowed to hear it - even though one of them is the police, which is not the _intended_ recipient.

In the US, today, the government can legally decide that you might be a terrorist (you know, like you support Ron Paul, for instance, who is very terrifying to them). Once so implicated, they can legally break down the door to your house, pull you from your bed, take you to a detention center, refuse to give you a phone call, hold you for as long as they like, torture you and so forth. If they decide to release you, they are not legally obligated to in any way compensate you for your life that they just demolished.

I point this out to illustrate, essentially, that legality does not necessarily have anything whatsoever to do with acceptability. It is our responsibility to stop this madness. I do not believe that governments have the right to invade our lives in these ways. I do not believe the government has the right to install a virus on my computer for the purpose of taking my skype keys. We all know that the various governments around the world are infiltrated by all manner of nasty organizations. If the government has a virus in my computer, then is it safe for me to transfer funds using online banking on my computer? How do I know that there aren't members of some criminal syndicate that are working for the government that have access to that virus?

No. If someone breaks my door down, I don't care if it is a policeman, a soldier, a thief or a vampire, I have the right and obligation to defend my family and my space with deadly force. If someone breaks into my computer, I have the right and obligation to eliminate that threat and to help others do the same. We all need to take these transgressions on our personal space, lives and property much more seriously. When will we fight back? When they want to put an implant in our brains to read and control our thoughts?

When is it enough, people??

Re:Your privacy, Your liberty, Your freedom

[mgv]

No. If someone breaks my door down, I don't care if it is a policeman, a soldier, a thief or a vampire, I have the right and obligation to defend my family and my space with deadly force.

Personally I think that you are being a bit paranoid here about your response. It makes you as bad as the group you rally against.

Except maybe for the vampires. To my understanding deadly force is pretty ineffective against them. (Just a friendly tip on that one :)

Michael

Re:Your privacy, Your liberty, Your freedom

[iendedi]

No. If someone breaks my door down, I don't care if it is a policeman, a soldier, a thief or a vampire, I have the right and obligation to defend my family and my space with deadly force.

Personally I think that you are being a bit paranoid here about your response. It makes you as bad as the group you rally against. How? I'm not sure I understand your implication? Are you saying that if a soldier breaks my door down in the middle of the night intending to pull me out of bed and drag me off to be tortured in some secret detention center for voting for Ron Paul that I shouldn't use deadly force to stop him?

Or do you just think that it is paranoid to think that anyone might want to do that to someone just because they support Ron Paul?

Are you against defending your family? If someone breaks your door down, would you defend them?

Except maybe for the vampires. To my understanding deadly force is pretty ineffective against them. (Just a friendly tip on that one :)

Michael Depends on which kind of vampire. I doubt the movie variety would show up to break down your door.

Re:Your privacy, Your liberty, Your freedom

No. If someone breaks my door down, I don't care if it is a policeman, a soldier, a thief or a vampire, I have the right and obligation to defend my family and my space with deadly force. You had a convincing argument until this point. Now you look like a nut that has no place in a civilised society.

Re:Your privacy, Your liberty, Your freedom

[iendedi]

No. If someone breaks my door down, I don't care if it is a policeman, a soldier, a thief or a vampire, I have the right and obligation to defend my family and my space with deadly force. You had a convincing argument until this point. Now you look like a nut that has no place in a civilised society.
Which part of this sentence offends you?

Re:Your privacy, Your liberty, Your freedom

No, they tend to enter through open windows and chimneys and such. I hear hanging garlick around them helps.

Re:Your privacy, Your liberty, Your freedom

[iendedi]

No. If someone breaks my door down, I don't care if it is a policeman, a soldier, a thief or a vampire, I have the right and obligation to defend my family and my space with deadly force. You had a convincing argument until this point. Now you look like a nut that has no place in a civilised society.
Clearly, this part of my post has been misinterpreted. I am not saying that one should use deadly force like some kind of paranoid reactionary. This topic was about the German government putting a virus on people's computers to steal keys in order to spy on them. This obviously resonates with people's memories about the nazi regime and that was very much in my mind when I posted. I am certain that if you asked Holocaust survivors if they, knowing then what they know today, would choose to use deadly force when nazis broke down their doors, I am sure they would say "Yes". We are not in a situation today like they were, then, but there are precedents for such things. I should have premised my sentence with something like, "If I were in nazi germany and someone broke my door down to drag me away, ...."

Does this make more sense?

Re:Your privacy, Your liberty, Your freedom

[DavidShor]

Not to say that you wouldn't be justified, but we cannot allow individuals to start shooting soldiers/police officers every time they think their impending imprisonment is unjustified.

Re:Your privacy, Your liberty, Your freedom

[dpastern]

Amen. Sadly, the average person is so fucking lazy, this would never happen. People don't care about their rights anymore, all they care about is going to work, coming home for dinner, going to sleep, and repeat. Modern humans are nothing more than non-thinking, idiotic, automated robots for the rich/powerful/greedy. I see no benefit in modern society, at least not to the average person, and the sooner that current social structures degrade and break down, the better imho.

Dave

Re:Your privacy, Your liberty, Your freedom

[iendedi]

Not to say that you wouldn't be justified, but we cannot allow individuals to start shooting soldiers/police officers every time they think their impending imprisonment is unjustified. Yes, this is a slippery slope. Really, I was imagining being Jewish in nazi germany when I wrote what I wrote. We live in very different times today. But where is the line? At what point is extreme defense a reasonable response?

Clearly, when we live in a sane society where human rights are respected and the rule of law is fair and balanced, extreme defense is an abomination.

Equally clearly, if we live in a tyrannical totalitarian regime where you run the risk of going to the gas chamber for your beliefs, extreme defense is a necessary requirement for staying alive.

The first example resonates with the America that I grew up in. The second with nazi germany.

The suspension of Habeas Corpus and the various war-on-terror legislation has pushed America somewhere in between these two endpoints. I really don't know what the correct answer is, but I can tell you that if a time ever came where people were being dragged from their homes and disappearing, I think keeping extreme response options "on the table" would be quite important. In fact, I would go even further and say that we have the responsibility to go help neighbors when they are being dragged from their homes as well...

Telcom wiretapping

[iendedi]

The police are allowed to tap regular phone lines because they don't have to intrude on your property to do it.

No, they're allowed to tap phone lines because they get court orders saying they can. Do you think courts have never issued warrants allowing police to place bugs on a suspect's property? Have you been hiding under a rock for the last 5 years? Warrants are so, umm, pre-Bush dynasty.

Getting closer, but not seeing it clearly

[iendedi]

The nazis and fascism were created, funded and directed by the same occult forces that control Communism, Zionism, Western Democracies such as the USA, the various media empires around the world, all central banking establishments, world energy production and all militarization.

All of the rest of it, the intrigue, the espionage, the media wars, etc... All of it is simply a tool for shaping society, forcing people to act and think in particular ways, to experiment with political systems and methods of human control, etc... The world has become overpopulated and difficult for these groups to manage lately, and the Internet is making it possible to investigate their activities on a wider scale than anytime in recorded history. These factors are vectoring the world towards a great conflict. Buckle your seat belts.

Your belief is optional and the brainwashing is very strong. While it can be easy to see this self-evident truism if your mind is open, your programming will really twist and shake and rebel against this notion. That knee-jerk reaction your feeling, right now, to call me crazy is exactly part of that programming. Consider why you are having that reaction, how many times you have been conditioned to associate insanity with words like the ones that you have just read. Consider where that conditioning has come from. Now consider how easily you can accept watching someone get torn to pieces on television, or how easily you dismiss a million people being killed by your government in a far off land. Your reaction to my words was strong and negative. Your reaction to the worst human misery and the most vile displays of violence on television was lazy dismissal. Now that you have this image in your mind, ask yourself why your conditioning was so much stronger in the case of my words...

Wow, ..., that's called deprogramming folks.

Re:Getting closer, but not seeing it clearly

[Jeremiah+Cornelius]

Babylonian death magic - carried out by the presumed descendants of an Egyptian fringe society.

Re:Getting closer, but not seeing it clearly

[iendedi]

Babylonian death magic - carried out by the presumed descendants of an Egyptian fringe society. They are certainly memetic descendants, in any case. But yes, the Babylonian mystery schools are exactly what I was talking about. The recent movie, 300, did a very good job of portraying the ancient reality of that system, "The thousand nations of the persian empire will fall upon you!" ... ironic transposition ...

Re:Getting closer, but not seeing it clearly

[Jeremiah+Cornelius]

The Indo-Iranian peoples were the opposition to the Babylonian/Egyptian wizards. They finally defeated the Assyrians.

Re:Getting closer, but not seeing it clearly

[iendedi]

The Indo-Iranian peoples were the opposition to the Babylonian/Egyptian wizards. They finally defeated the Assyrians. Yea, that's why I think it was an ironic transposition in the movie. Fact inversions are part and parcel of what we see coming from these groups. They are excellent at projecting the character of who they actually are on their intended victim in order to demonize their victim and ensure that all of the blame for the resultant horrors is juxtaposed in such a way as to make the victim responsible.

Re:Getting closer, but not seeing it clearly

[Jeremiah+Cornelius]

Dead
On

Don't act so surprised

[locokamil]

Why is everyone acting surprised about this? The Germans perfected the art of surveillance; to think that this knowledge died with the Cold War is naive, no?

Re:Don't act so surprised

[locokamil]

Really, flamebait?

The US is not becoming like nazi Germany!

[iendedi]

9-11, 9-11, they will cower in fear and let the government do whatever the hell it wants.

Er, wait a sec, did you say Germany? Hmm. Maybe we'll get to see what it looks like when an the public, enraged by the abuses of their government, shows the bastards who's boss. Sounds familiar. Didn't the German people do exactly that when they chose Hitler to tear apart their perceived bondage and servitude to the Internationalists? The German people reacted with a violent xenophobia that ultimately gave rise to the second world war. The German people targeted one group in particular, because they were incensed at their perceived control over Germany's finances, media and political apparatus and their perceived ruthlessness; squeezing the German people mercilessly and without pity with such tools as the Versailles treaty.

We have no Versailles treaty destroying our economy and creating hyper-inflation, so perhaps we won't follow in Germany's footsteps. After all, our economy is strong, with no indication of hyperinflation in the future, right? And we are totally in control of our own media, banking and political apparatus, right? At least we can take comfort in that.

Definitely things that are not the same about the rize of fascism in Germany and modern day USA:

The Reichstag fire in no way resembles the 911 event in NY. It is reasonably clear that the nazis themselves started the Reichstag fire in order to provide the political ammunition necessary to institute the Enabling Act and invade Poland. Clearly, the three buildings in NY collapsed into a tiny pile of atomized concrete and molten steel because some kerosene ignited eighty stories up when a few religious fanatics rammed jetliners into skyscrapers while the US was playing simulated war-games that made it impossible to react properly. Very different situations.

Hitler's Enabling Act in no way resembles the Patriot Act. Hitler's Enabling act was the second major step after the Reichstag Fire Decree through which the Nazis obtained dictatorial powers using legal means. The act enabled the cabinet under Hitler to enact laws without the participation of the Reichstag. The Patriot act simply allows US intelligence agencies to find terrorists, it has nothing to do with suspending the federal government to take dictatorial control. There are no "Granite Shadow" type actions such as that coming out of 911.

Hitler's Invasion of Poland, being provoked by the Reichstag fire in no way resembles Bush's invasion of Afghanistan and Iraq, since we were going to get the terrorists responsible for 911. Clearly Hitler was just on a crusade for land and resources to further his war ambitions.

Hitler's association with the occult can not be compared to Bush's membership in Skull & Bones. Being a part of a masonic, babylonian mystery school with secret doctrines of death magic cannot be compared to being a part of a secret Yale fraternity.

Hitler's financing came in large part from American bankers, including a bank run by Prescott Bush. This bank was later seized for trading with the enemy. This cannot be compared to Bush's financing, because he does not get any financing from any of Hitlers relatives. It would be preposterous to imagine that any of Hitlers relatives have ownership in the US Federal Reserve, where Bush gets his financing.

Hitler used extreme scare tactics, including but not limited to jailing supporters of political opponents. In America, that never happens and Bush certainly doesn't do it.

I'll stop here for now, I think this partial list makes it pretty clear that we are on very different tracks and the two situations have nothing whatsoever to do with one another.

Re:The US is not becoming like nazi Germany!

Bzzt! Wrong! Hitler illegally seized power in Germany by banning the SPD and other rival political parties and then having his political opponents either arrested, detained or murdered. The German population never gave Hitler a majority.

Re:The US is not becoming like nazi Germany!

[iendedi]

Yes, that's right. But he did have sufficient support to put himself into a position to pull the rug out from under the existing system.

Skype encryption documentation and lack thereof

[Beryllium+Sphere(tm)]

True, Skype has never released the kind of documentation that would give a cryptographer or security professional any confidence. But some things have been made public by reverse engineers: www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf

Re:Skype encryption documentation and lack thereof

The way I read that document, the German government doesn't actually have to lure anyone into installing the trojan. Or has the heap overflow problem since been fixed?

Missing finer point

[hknust]

As some have already pointed out, it's a state not the federal govt. Also it gives an intriguing insight in the current state of surveillance technology employed by the state's police. VOIP has been around for a while and has apparently be a blind spot for investigators. Not exactly big brother...

When the Bundeskriminalant hands you a bug...

[brassman]

(Mike Doonesbury is holding up a lamp, which has an obvious microphone sticking out the top)

Mike: "Gee, Zonker, I bet this frame up really has you upset."
Zonker: "Yeah, Mike, you know me -- I get high on LIFE! And AMERICA!"
Guy wearing headphones: (thinks) "Oops...."

SO YOU MEAN

[mad+flyer]

That this article few weeks ago about the german police stating that it's impossible to tap into skype phone calls was actually... rubbish...

GOOD...

This maneuvre is borderline on vulgar, make me want to puke even from the German. Stomping on people privacy with leather boots and browns shoes is one thing. But considering they have sh1t for brain and deserve it is a little to much fo my taste...

Ignorant security expert strikes again.

> .. and since they haven't opened the code up for auditing by disinterested third parties ..

This is the most common misconception between the layman security experts.

The code needs not be open, only the security protocol and run-time keys do. Even if the code is open, there's never a guarantee that the distributed Skype binaries are actually built from this code and not from some (bugged) fork.

Therefore the best audit effort should be based on the analysis of what's unconditionally available - the traffic. For this, the auditor who verifies the adherence to the published specs needs (a) the specs (b) the way to decrypt intercepted traffic, i.e. the actual negotiated keys.

Not so terrifying

[Mr2001]

In the US, today, the government can legally decide that you might be a terrorist (you know, like you support Ron Paul, for instance, who is very terrifying to them). Heh. He might be a little more terrifying if he had some chance of winning the GOP nomination (to say nothing of the general election). He has some highly motivated followers, but those don't add up to a majority of votes.

Re:Not so terrifying

[iendedi]

I think what makes him terrifying isn't whether he can win or not, but simply what his message is. He is waking people up.

Germans back to their old ways

Same as in the US. Constant eavesdropping, yet another infringement on our rights by the gov't. Add it to the ever-growing list of violations:
They violate the 1st Amendment by opening mail, caging demonstrators and banning books like "America Deceived" from Amazon.
They violate the 2nd Amendment by confiscating guns during Katrina.
They violate the 4th Amendment by conducting warrant-less wiretaps.
They violate the 5th and 6th Amendment by suspending habeas corpus.
They violate the 8th Amendment by torturing.
They violate the entire Constitution by starting 2 illegal wars based on lies and on behalf of a foriegn gov't.
Support Dr. Ron Paul and save this great country.
Last link (unless Google Books caves to the gov't and drops the title):
America Deceived (book)

Not to be blunt, which kind of vampire?

[freaker_TuC]

Depends on which kind of vampire. I doubt the movie variety would show up to break down your door. Oh, so now we have to ask a resume first at the perpetrating vampire?

"Sorry to disturb you, which kind are you? I'll be using the wooden or silver stake tonight!"