Slashdot Mirror

← Back to Stories (view on slashdot.org)

German Govt. Skype Interception Trojans Revealed

Posted by CmdrTaco on from the trojan-man dept.

James Hardine writes "Wikileaks has released documents from the German police revealing Skype interception technology. The leaks are currently creating a storm in the German press. The first document is a communication by the Ministry of Justice to the prosecutors office, about the cost splitting for Skype interception. The second document presents the offer made by Digitask, the German company secretly developing Skype interception, and holds information on pricing and license model, high-level technology descriptions and other detail. The document is of global importance because Skype is used by tens or hundreds of millions of people daily to communicate voice calls and Skype (owned by Ebay, Inc) promotes these calls as being encrypted and secure. The technology includes interception boxes, key forwarding trojans and anonymous proxies to hide police communications."

19 of 172 comments (clear)

  1. Why should we be surprised? by trelayne · · Score: 5, Insightful

    If Germany can do it, do we really think it hasn't already been done in the states? Skype, is very popular and would be a logical means for governments to monitor conversations---especially when said program touts itself as being encrypted and secure. So the German revelations are likely a national security goof.

    1. Re:Why should we be surprised? by Kadin2048 · · Score: 5, Insightful

      If Germany can do it, do we really think it hasn't already been done in the states?
      Skype, is very popular and would be a logical means for governments to monitor
      conversations---especially when said program touts itself as being encrypted and
      secure. So the German revelations are likely a national security goof. More than that, while the Germans have to install this aftermarket snooping program, it wouldn't surprise me if Ebay provided a convenient backdoor in the code so that the U.S. government can do the same thing without going to all the trouble and expense (both of third-party software, and warrants).

      How exactly Skype implements encryption has never been made public. Anyone using it for secure communications is a fool. The only person it's good against is some script kiddie on your LAN or in the coffee shop where you're using a hotspot. The only person calling it "secure" is Skype/Ebay, and since they haven't opened the code up for auditing by disinterested third parties (someone like, say, Bruce Schneier), it's really not guaranteed to be anything more than snake oil.

      For all you know, every time you make a call, Skype could be forwarding the key to a central server and then sending them in bulk to the FBI. That's the price of using a closed-source security product where the vendor has an obvious interest in selling you out to the authorities.
      --
      "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  2. Re:Germany by CastrTroy · · Score: 4, Insightful

    The police are allowed to tap regular phone lines because they don't have to intrude on your property to do it. Just like they can stake out your house from a van on the road. They aren't allowed to walk into your house and watch you all day. Once they start installing trojans on computers for listening to skype calls, it's not a far stretch from them installing trojans to record every action you do on your computer.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  3. Man-in-the-middle against SSL? by gnasher719 · · Score: 4, Interesting

    Does anyone know how a man-in-the-middle attack against SSL, as mentioned in the article, is supposed to work?

    The only possibility that I can see is to modify the browser itself, so that when the user tries to get a secure connection to www. criminals.com, the browser contacts www. police.de instead, gets a valid certificate from the police, while the police's computer then makes a secure connection to www. criminals.com.

    1. Re:Man-in-the-middle against SSL? by maxwell+demon · · Score: 3, Interesting

      To redirect the user from www.criminals.com to www.police.de, they only have to intercept DNS calls (unless the criminals have edited their /etc/hosts or Windows equivalent, but if they get a trojan in, that shouldn't be too hard to change as well). The only thing which might be problematic is to get a valid certificate. But then, they probably can get that by just connecting themselves (which they'll do anyway if they do a man-in-the-middle). AFAIK the certificate only contains the domain name, not the server IP, so since the browser thinks it's connected with www.criminals.com, it will accept the original certificate for the fake server. I'm no SSL expert, though, so I may be missing something here.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    2. Re:Man-in-the-middle against SSL? by gnasher719 · · Score: 3, Interesting

      mac spoofing, arp poisoning, dns spoofing, and a fake certificate Yes, I forgot that if they are able to install software on your computer, they might also be able to install a root certificate created by the police, and send you a kind-of-genuine certificate for www.terrorists.com, signed by www.police.de. Or they _might_ be able to convince a certificate authority to give them an actual, valid certificate for www.terrorists.com, which would be a bit worrying.

      With a minute of thinking: The first method would be much better, because they don't need to know ahead who I am going to contact.

      With another minute of thinking: My computer has for example four Verisign root certificates installed. Does that mean that Verisign (I only take them as an example) could technically install a box with a computer into the phone line 50 meters away from my house, and do a man-in-the-middle attack by creating genuine Verisign certificates for any SSL connection that I make, without breaking into my home or doing anything to my computer at all? And the only trace that I would have would be the curious fact that everyone I contact uses certificates signed by Verisign?

      With a further minute of thinking: My computer has about 100 root certificates installed that came with Leopard, and similar things happen for Windows users. I have no idea where these certificates come from; I just have to trust Microsoft and Apple. If the police could convince Microsoft and Apple to put a root certificate owned by the police into their installers, then the police could read anyone's SSL connections without breaking into their homes (but breaking into their connection a bit further down the line)?
    3. Re:Man-in-the-middle against SSL? by Rich0 · · Score: 3, Insightful

      You are completely correct. When you tell your browser to trust a root certificate - that means exactly what it sounds like it means. Whoever has the signing keys to that root cert can make your browser think that any site is legit for any domain name.

      Many companies install their own root certs so that they can sign their own intranet ssl certs (rather than pay for a ton of them for every little web-based app they install). That gives those same companies the ability to man-in-the-middle any web connection from one of their browers.

      Nothing new here - if somebody can get you to install stuff on your computer they can generally do whatever they want with it if they are unscrupulous.

  4. It's NOT the german gov,... by TransEurope · · Score: 5, Informative

    it's the bavarian government, a federal state of germany.

    http://www.heise.de/newsticker/suche/ergebnis?rm=result;q=skype;url=/newsticker/meldung/102375/;words=Skype
    http://www.heise.de/newsticker/suche/ergebnis?rm=result;q=skype;url=/newsticker/meldung/102485/;words=Skype

    1. Re:It's NOT the german gov,... by KDR_11k · · Score: 5, Funny

      For Americans, just think of Texas with lederhosen instead of cowboy garb.

      --
      Justice is the sheep getting arrested while an impartial judge declares the vote void.
  5. Re:Germany by trewornan · · Score: 4, Insightful

    Germany still seems to have a lot of it's old attitudes lying around.

    Yeah, because other governments would never do something like this - talk about naive. Did anybody here not realise that skype calls were going to be intercepted?

  6. Skype is not securely encrypted. by WK2 · · Score: 5, Informative

    Skype is not securely encrypted. The only client is closed source, and the protocol is not open, nor peer-reviewed. The developers themselves have said that security analysts would probably quickly find holes if they opened the source.

    It is less likely that thieves and spies, etc, will be able to eavesdrop on your Skype conversations than with a plain old phone. But don't treat it as secure communications.

    http://en.wikipedia.org/wiki/Skype

    --
    Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
  7. Re:Germany by Aardpig · · Score: 5, Insightful

    As someone else has pointed out, it is legal in Germany for police to monitor phone calls, when they get appropriate authorization from a judge. Contrast this with the United States, where the administration is trying to award retroactive immunity to itself and telcos for years of illegal phone surveillance.

    --
    Tubal-Cain smokes the white owl.
  8. I for one by MrCopilot · · Score: 4, Insightful
    am glad i live in a country where these abuses of privacy are outlawed by the constitution and the government would never even think to monitor our voice and data transmissions.

    That is why I am proud to be an American. They what, Oh damn.

    --
    OSGGFG - Open Source Gamers Guide to Free Games
  9. Re:Germany by STrinity · · Score: 3, Insightful

    The police are allowed to tap regular phone lines because they don't have to intrude on your property to do it.
    No, they're allowed to tap phone lines because they get court orders saying they can. Do you think courts have never issued warrants allowing police to place bugs on a suspect's property?
    --
    Les Miserables Volume 1 now up with my reading of
  10. Re:Germany by Nullav · · Score: 4, Insightful

    So? It's a trojan, meaning that one has to willingly open it; more bluntly, it means that the police will need to trick people into opening them. Also, with this information out in the open now, anyone with a lick of sense will be even more wary of such rogue email attachments.

    tl;dr - No one has to convince you to pick up a tapped phone.

    --
    I just read Slashdot for the articles.
  11. Re:Germany by Yahma · · Score: 4, Insightful

    My thoughts exactly. While our administration has allowed for unwarranted illegal wiretapping with full cooperation from most of the major telco's, the American public is mostly either unaware of the issue, or seemingly apathetic. The German public, on the otherhand, is almost in an uproar over the revelations that the German gov't can/may listen in on Skype calls LEGALLY.

    The difference in public reaction is likely due to the histories of our respective nations. The Germans populace went through a period where a lunatic dictator brought on the downfall of the nation. Today in Germany, school children from age 5 upwards learn about this terrible time in the Nation's history and because of the openness and recognizance of today's germany with respect to its recent history, its population are very very wary of allowing Government too much power over its people. In the US, on the otherhand, the government have been passing laws stripping our privacy using 9/11 as justification. The recent realization that there will be little to no backlash from the American populace as a whole has only encouraged our government to continue with such laws as the "Patriot Act" that slowly strip away our rights and give the Executive Branch ever more power.

  12. Re:Germany by hkl387 · · Score: 5, Insightful

    This is not about Germany's past, this is a global issue of today.

    According to a 2007 International Privacy Ranking, there is "weakened protection" in Germany, while the UK and the US are ranked as "endemic surveillance societies".

    Yes, we are very concerned about German authorities pushing to weaken our rights, but we also need to understand that Citizen's rights are under attack all around the world these days. Stereotypes are not helpful, we've got to stand up for our rights together.

  13. Re:Germany by m.ducharme · · Score: 5, Funny

    I always wondered what that weird looking dongle was hanging out of the USB port....

    --
    Rule of Slashdot #0: You and people like you are not representative of the larger population. - A.C.
  14. Your privacy, Your liberty, Your freedom by iendedi · · Score: 4, Insightful

    1. It is legal (if you get permission from a judge etc.) to listen in to phone conversations. 2. With Skype using 256 bit encryption, the police cannot do in practice what it is allowed to do legally. 3. Some company makes software/hardware that enables the police to do what they are allowed to do legally.

    It seems to be necessary to install some software on the user's computer to achieve this. As long as this software doesn't do anything but opening up Skype communications, it doesn't do anything that would affect the user's rights. All their Skype communications can only be heard by people who are legally allowed to hear it - even though one of them is the police, which is not the _intended_ recipient.

    In the US, today, the government can legally decide that you might be a terrorist (you know, like you support Ron Paul, for instance, who is very terrifying to them). Once so implicated, they can legally break down the door to your house, pull you from your bed, take you to a detention center, refuse to give you a phone call, hold you for as long as they like, torture you and so forth. If they decide to release you, they are not legally obligated to in any way compensate you for your life that they just demolished.

    I point this out to illustrate, essentially, that legality does not necessarily have anything whatsoever to do with acceptability. It is our responsibility to stop this madness. I do not believe that governments have the right to invade our lives in these ways. I do not believe the government has the right to install a virus on my computer for the purpose of taking my skype keys. We all know that the various governments around the world are infiltrated by all manner of nasty organizations. If the government has a virus in my computer, then is it safe for me to transfer funds using online banking on my computer? How do I know that there aren't members of some criminal syndicate that are working for the government that have access to that virus?

    No. If someone breaks my door down, I don't care if it is a policeman, a soldier, a thief or a vampire, I have the right and obligation to defend my family and my space with deadly force. If someone breaks into my computer, I have the right and obligation to eliminate that threat and to help others do the same. We all need to take these transgressions on our personal space, lives and property much more seriously. When will we fight back? When they want to put an implant in our brains to read and control our thoughts?

    When is it enough, people??
    --

    It is your personal duty to fight for what is right on a daily basis. Ignoring injustice is identical to approving