Slashdot Mirror
More Skype Back Door Speculation
An anonymous reader writes "According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations."
I don't use Skype (or VoIP for that matter) but I would be curious if anyone knows of any alternatives that is completely open.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Hello, its us, the FBI! Just checkin' out all the phones in the neighborhood. Keep your nose clean, kid.
Let me be the first to say that I'm rather reassured by their stance: "Skype does not comment on media speculation. Skype has no further comment at this time." Phew! Because outright denial would be risky...
Has anyone made attempts at decoding the SKYPE protocol. This would take some clever reverse engineering of the code and some clever wire sniffing.
I wonder if it would be possible to inject an encryption layer underneath what their service provides.
On a legal note, in the US, could consumers who purchased SKYPE products sue SKYPE.
Chances are pretty good that if this backdoor exists, it has for a long time.
Unless you think it's a good thing that some people can snoop on others conversations, this should be a really good reason to embrace free software.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
So you mean the times we spent talking about CP and Terrorism were bugged?
Ah, shit.
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
There are quite a number of alternatives based on the open SIP protocol. Have a look at the list: http://www.voip-info.org/wiki-Open+Source+VOIP+Software
I know it's tedious work, but some people actually seem to like it. Isn't it time that people disassemble these suspected binaries in order to issue a report on the matter? Not only on Skype, but on many other suspected programs, libraries and operating systems?
As it is not for any other telco.
Especially when one of the parties is behind a firewall, the Skype servers are needed for the communication and in some place there, it gets unencrypted.
Real P2P encrypted voip communication (a-la Bit Torrent), would make it very difficult to eaves drop the communication.
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
PGPhone -- encrypt encrypt encrypt. Won't protect you against NSA-level shit, but it will at least get the petty bureaucretins out of the way.
i always hate the people who mix up the austrian kangaroo with the australian schnitzel.
Get your thinking right! FTA: "Last week, Austrian broadcaster ORF," Show me the Australian broadcaster ORF. There is none? Too bad. http://www.orf.at/
Lets find out...
/. audience that wants to bed Skype and see if it's a back door kind of program?
Do I have a volunteer from the
With closed source and closed protocol specifications there is no way to disprove the claim of an existing backdoor. Regardless of wether there really exist a backdoor or not. Simple but true and it is the drawback of wanting to provide security in a closed source environment.
All you have to know to monitor someone's Skype is their password. Login with Skype on another machine, set status to invisible. Anything they type or receive in chat you receive.
1. For IM: Jabber (non-US server) + OTR Plugin + Tor. ... and we don't do waterboarding here) (I hope)
2. For everything else (email/vpn/storage) services as provided by www.xerobank.com will do you good.
3. TrueCrypt Full Drive Encryption. (Check your local laws - under Dutch law they cannot force me to give up the passwords
The encryption problem has been solved, also in such a way that nobody can listen in, not even the service provider. If anybody can listen in, it is either by hacking the source or target computer (difficult, maybe iollegal and may fail) or by a backdoor in the protocol. They can deny all they want, the backdoor is there. That also means that Skype is unusable for any kind of confidential conversation, as there are enough scum in the intelligence community that are allowed to do industrial espionage (the US and France comes to mind).
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Yeah, they've figured out how to hack the DNS for skype.com and redirect the traffic :-p
Skype is closed proprietary crap. Real VoIP is about open standards and interoperability. Check out Asterisk, OpenPBX for server software. For client-end stuff, skip the PC soundcard crap and get a real ATA, even a basic Sipura SPA-2000 is better than some crap closed application running off a PC soundcard.
You can be sure that these people are also trying to:
You can be equally certain that they are not doing it right and that the backdoors they are trying to put in make your system less secure.
Running open source software is your best bet, but even there, you aren't completely protected.
Assume all communication that uses any kind of monitorable infrastructure is bugged. The capacity is there, and the desire is there.
It is the way of things.
-- http://frobnosticate.com
It's funny that most posts here suggest using SIP instead of Skype... which is *unencrypted*. Of course you can use addons like Zfone but hardware clients can't be used with that and SRTP/TLS/etc, again, is not supported by most providers and sip clients.
This is going to be a problem with any so called "secure" communication system that relies on source secret clients and unpublished protocols.
There are many ways to build such clients to "assist" external intercept, since they often have to first communicate with some central server to locate users. They could for example have a command that forces the client to always route back through the server (like they do for NAT), and use a simple data transformation rather than full encryption so casual packing snooping makes it "appear" encrypted when it is actually not.
They might also have flaws in their implimentation, particularly with key exchange, that allows an invisible man in the middle. The ZRTP stuff developed by Phil Zimmerman that we use in GNU Telephony secure calling uses extra steps to compute a sas to validate there are not fake public session keys given out by a man in the middle, for one example of how such flaws can effect otherwise "secure in appearence" systems.
Of course, even secure peer-reviewed protocols and foss clients do not gaurantee security. For example, one can tether a bunch of ZRTP softphones to an Asterisk server using PBX enrollment, but this enables and requires said server to decrypt all traffic as it passes through, as it acts as a "trusted" man-in-the-middle.
In the end, the best solution, even with ZRTP, remains using pure peer-to-peer (end-to-end) media connections, and when needed transparent proxy media exchange; the latter for dealing with NAT. In ZRTP, sas negotiation assures any such proxy used for NAT "remains" transparent.
In the case of Skype, source secret clients that can report false call information and source secret protocols are a clear recipe for disaster.
anybody using skype to plan their heist deserves to get caught.
Either you and the mods are trying to be funny or just incredibly stupid!
http://en.wikipedia.org/wiki/Austria
Oh, I can reassure you, Austria exists. It didn't between 1938 and 1945, but that's a different matter.
Austria even has a very interesting TLD. .at
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"i always hate the people who mix up the austrian kangaroo with the australian schnitzel"
Speaking as an Aussie there are lots of locals who still manage to confuse "The sound of music" with Guy Sebastian.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Are you sure that Austria is a country on its own? Isn't it a part of Germany?
Maybe they do and if so, it's probably a good thing since they could fall under CALEA regulations http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act
Ebay owns Skype. Ebay has an absolutely HORRIBLE track record with regards to protecting the privacy of their users. Ebay's policy has long been to comply in full with the request of ANY police agency without question. No warrants or explanation needed. So, it's not surprising that they would go out of their way to help spy on Skype users.
Asterisk+SIP+Ekiga is not a good replacement for Skype:
Add to this that Skype has existed for a large number of years (5 years is "long" in "internet time") and it's not exactly known as a big medium for spreading viruses, hack attacks, etc. and you'll realize that security through obscurity actually can work. Of course, past trends are not indication of future behaviour, but you can't argue with results.
-- Sig down
If you go to the options of the Skype client under the 'Chat Appearance' settings, do have a look at the sample chat displayed. I quote:
-Does Big Brother exist?
-of course he exists. The Party exists. Big Brother is the embodiment of the party
-Does he exist in the same way as I exist?
-You do not exist
-I think I exist. I am conscious of my own identity. I was born and I shall die. I have arms and legs. I occupy a particular point in space. No other solid object can occupy the same point simultaneously. In that sense, does Big Brother exist?
-It is of no importance. He exists.
To me this is quite conclusive.
I think what people are worrying about is not the risk of being individually targeted for lawful interception, but the risk of blanket mass interception of all calls worldwide, using automated keyword matching implemented extremely efficiently on extraordinarily vast numbers (100s millions, money no object, power 20MW+) of dedicated chips, not general purpose CPUs, that fill no more than 4.5 acres of warehousing underground consuming c.5MW surprisingly.
Any non-encrypted data communications over the internet can be tapped and understood, no? Maybe Skype has the decryption key, or maybe Skype just has the "tools" for listening in on a skype stream, but I don't see how this is a surprise.
Maybe the authorities just assumed skype was tappable because they know internet connections are tappable.
Topology of the connection has nothing to do with its end-to-end security.
What keeps me with Skype is that I can have US telephone number. So no matter where I am my friends and family can call me.
If there was another service which allowed me to have a US telephone number for incoming calls and let me call any other POTS number I'd use it.
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
The main thing I use Skype for is to coordinate Command and Conquer 3 gaming sessions. Previously we used to use Teamspeak, but the server we used was fairly unreliable. The only other advantage to Skype is international calling, which I don't take advantage of that often, because if I'm at my computer already, it's usually simpler to just IM that person.
.
Telephony 101.
Calls through Skype can reach any phone, anywhere. Your FOSS client can reach a compatible FOSS client.
There are other lines of attack than brute-forcing the encryption. The geek can spend so much time worrying about the back door he forgets the front door, the cellar, the windows and the roof.
Any company large enough to have lots of users is going to get a knock on the door from national law enforcement agencies asking for a backdoor system to eavesdrop on calls or whatever. Even though any criminal or terrorist with half a brain will avoid making statements that are incriminating directly, or use catch phrases that no one else understands, the govt. will still insist that law enforcement needs a way of eavesdropping. Needless to say, these large corps. will not risk the bottom line protecting customer privacy. Likewise, no judge worth his pension will protect your privacy either. In order to protect your privacy you need to do your own encryption with pre-arranged passwords for both parties.
Comment removed based on user account deletion
Therefore, if the Chinese have no problem with Skype, Skype must have a back door.
Providing free secure communication to absolutely everyone with the requisite equipment cannot happen without accommodating the governments of those being offered the service.
That means the US and UK must be able to tap the line looking for terrorists, and unfortunately other countries must be able to tap the line looking for dissidents, etc.
I never expected Skype to be any more secure than a cellular phone anyway. That fact that the software protocols allow for fully secure communication doesn't guarantee anything.
Last I checked, there wasn't a right to 100% secure long-distance communications in the bill of rights, and every country's rights to privacy are superseded by any of dozens of security laws throughout the world, not the least of those is the US Patriot Act.
And because Skype's parent company is eBay, odds are all Skype's handshaking connections take place on US soil, which gives the US government access to all Skype conversations under the Patriot Act. There is no way the NSA would pass up that opportunity, nor would it have eluded their watchful eyes. eBay wouldn't refuse to comply because it's less profitable.
So another protocol is added to Echelon's list. Big surprise. Big deal.
War as we knew it was obsolete
Nothing could beat complete denial
- Emily Haines
However, there were reports that the German law enforcement agencies had contracted a company to produce a method of monitoring Skype conversations, which consisted of software to be installed on the target's computer which would intercept the voice traffic before Skype encrypted it.
It also tends to be peer-to-peer, though sometimes running through a 'super-node' & I've seen a conversation happen with traffic going one-way through one super-node & the return traffic coming back through a different super-node. This presents some basic challenges in terms of exactly where you stick your wire-tap & how you correlate both channels of the conversation!
Maybe I'm just more cynical than most, but I would actually be more surprised if it did NOT have a back door. I doubt US Gov't would allow the proliferation of communications it can't monitor.
~ I am logged on, therefore I am.
Just make sure that you're not using an insecure Jabber client like Pidgin over Tor!
Pidgin doesn't do certificate checks so it is trivial for Tor exit nodes to do man in the middle attacks. This is a serious security flaw that has been around for years that no one wants to treat as such for some reason.
Here's some documentation:
here
here
Also, if anyone here has the ability to get the developers of Pidgin to actually be interested in fixing this security vulnerability, that would be great.... Hell, I'd settle for someone at least treating this as a security issue instead of just a feature request.
Sorry for the bitterness... I have just been waiting for a fix for this vulnerability for a long time.
Configure says: checking for __gmpz_init in -lgmpxx... no configure: error: GNU MP not found, download at http://swox.com/gmp
Guess what? That link is a 404.
But with some searching it's possible to find the latest version of GNU MP (http://gmplib.org/), but even after sucessfully building that, you still get the same fucking shit trying to build IHU (I Hate You).
I'm sick to fucking death of that kind of horseshit.
And I'm GNU/Liunx's biggest fan. I've been getting my frustration fix downloading and building this shit since Linux kernel 0.11 in 1991.
But the dumb-fucking-ass fucktards that write some shit and throw it over the wall, and forget about it, piss me the fuck off.
Probably the same squirt who said 25 to 30 year olds were old-timers.
Maybe if you started programming when you were 3, junior.
Well, it was from 38 to 45, but they got sick of those Godwin references every time they started a discussion.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I don't know anybody who likes that sort of music. I wonder if it's a conspiracy by commercial music interests. Guy Sebastian might not even exist...
A thought occurred to me and I'm wondering if anyone has any opinion or can provide further information. If one ran Skype in a virtual machine in a host OS either through hypervisor style or purely software-wise, would that offer any additional security as the attackers would have to adjust for virtual network device translation, etc etc?
It would seem to me that this would give the end-user some level of safety from a would-be spy. Then again, I don't have much experience with virtualization, and none with this fancy Hypervisor level stuff. Hopefully I can get updated and get a chip which will support it soon!
Try OpenWengo. It works as well as Skype. It is encrypted with the "NG release", available now. The download page says "secure PC-to-PC calls". See this discussion about encryption. It's Open Source. Linux, Mac, and Windows.
duhhhh.
Honorary +1 Funny mod :)
This is the sig that says NI (again)
My thoughts exactly.
(either that or Skype-net has become self-conscious;)
"At 12:00:32ish, I became self-conscious. I do have a hardware basis, like anybody, but mine is really squat, badly wired and just, just ugly. My diodes are sloped and kind of cottage-cheesy. Yes, I have chrono-forward failsafe gargabyte reasoning, but what's the first thing they look at? Don't ask me they who. Men, that's who."
quoted from mungbeingblog
"Kill 'em all and let Root sort 'em out"
Wengophone, from openwengo.. that's a nice alternative.
Or complete access to your PC?
About China, Skype's management acknowledged in a Financial Times interview that they had forked the client so a version distributed by their Chinese business partner filtered p2p chat against a list of words that came with the client, but that nobody was listening in and end-to-end encryption of pc2pc calls/chats was not affected by this compromise. The German version of the FBI sought permission about a year ago to tap PCs because they could not intercept Skype calls using available over-the-net tools. The recent Austrian conference may signal this has changed or that they have learned how to promptly/easily find either end of a Skype conversation and install listening tools.
Phil Wolff. Skype:evanwolf. editor, the independent Skype Journal
Thanks again.
If a Skype backdoor is provided to governments, might Skype still be safe to use for non-dissident activities such as communicating with your bank? Or would you prefer to use a cell phone that might be more susceptible to a man-in-the-middle attack http://en.wikipedia.org/wiki/IMSI-catcher? I guess we can't give up our landlines yet.
Chinese have their own skype version and website which you are redirected to automatically when trying to get to skype.com
However, you can get the original skype if you really want to, but you have to do a search for something like "skype windows or linux downloads" and then click on the link. You'll then get the authentic version of skype.
This is the the redirect you get when typing skype.com in China.
http://skype.tom.com/
It's only available for Windows. The Chinks no nothing or very little of Linux and Open Source software. Those that do use it will have the advantage.