Slashdot Mirror
More Skype Back Door Speculation
An anonymous reader writes "According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations."
gizmo
I don't use Skype (or VoIP for that matter) but I would be curious if anyone knows of any alternatives that is completely open.
I asked the internet, she donned her Stupomitron Helmet, et voilà
"Be light, stinging, insolent and melancholy"
There are quite a number of alternatives based on the open SIP protocol. Have a look at the list: http://www.voip-info.org/wiki-Open+Source+VOIP+Software
http://en.wikipedia.org/wiki/Gizmo5 says that the client is proprietary software. Are you talking about some other client with the same name?
It has been attempted. See "Silver Needle in the Skype" presentation at http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf -- The impression I got was that it was deliberately made difficult to understand by adding all sorts of checksums and encryption layers.
I read a good presentation by people that had tried to disassemble Skype, and basically, Skype do so much to make it very, very difficult. Here's a PDF version of it.
If it was easy, someone would have done it by now, and made Gnype, don't you think?
Get your own free personal location tracker
I don't use Skype (or VoIP for that matter) but I would be curious if anyone knows of any alternatives that is completely open.
For Linux there's a decent program called I Hear You (IHU), very simple program, GPL-licensed etc., you can find it at http://ihu.sourceforge.net/
VoIP/SIP is open.
You only need a client and an account with any of the free SIP providers. Or you setup asterisk (or another free PBX software) and become your own provider.
The problem with SIP is that few people actually use it whereas skype is everywhere.
An alternative to what? To Skype? To the PSTN? Software running on a PC is always going to be a poor solution, and is far from your only option for Internet voice communication. You do NOT need some app on your PC to do VoIP. What you want is something called an ATA - its a little box that has a jack for a regular phone, and an ethernet port. They are often supplied with service such as Vonage, but are usually 'locked' down to that provider. You can also but them directly, but you will of course still need 'something else' to initiate SIP connections to. For information about real VoIP networks (both net-to-net, as well as PSTN interconnection), visit voip-info.org
From the wikipedia link you gave:
"Unlike its competitor network Skype, the Gizmo5 network uses open standards for call management, the Session Initiation Protocol and Jabber."
Not a Twitter sockpuppet... but I wish I was.
The Gizmo5 client is proprietary, but it uses open, standard, protocols (including encryption by SRTP).
Of course if you want to go open source there are a lot of SIP clients available (on Windows and Linux anyway, less so on OS X). Twinkle ( http://www.twinklephone.com ) looks pretty good, i just wish is was cross-platform.
using an open standard is not the same thing as being "open source" or "completely open"
Several orders of magnitude more daily minutes are done with SIP than Skype. SIP is used for corporate networks and calling card providers and lots of other situations.
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
freeswitch.org does SRTP/TLS so even with voip you can have it encrypted. It can also do passthrough which would let things like phil zimmermans ZRTP do its magic.
In addition I am working on a pstn encryption system primarily designed for mobile phones, but I plan on writing a freeswitch module to make it work for pstn links as well.
If you ever use a server you do not control you run the risk that those who do control it will get a warrant and not inform you of such (often warrants come with gag orders attached, even subpoenas do). If you control it you will be able to (usually) detect downtime and installation of weird software you dont recognize (or you are unqualified to run the system :)
VOIP is peer-to-peer. A server is only used for matchmaking, and bandwidth is minimal.
Besides, OSS != guy in basement. Mozilla, Canonical and Red Hat somehow manage to pay for a few servers and a bit of bandwidth.
How can I believe you when you tell me what I don't want to hear?
I found Ekiga pretty straight forward to get working. Not two clicks, for sure, but you are led through all the necessary steps by the nose.
And the network effect no longer applies if Ekiga users can call Skype users (And they can).
"Be light, stinging, insolent and melancholy"
So if there is a backdoor, there site is lying, and i can smell a classaction.
1 1 2 3 5 8 13 21 34 55 89 144 233 377 610 987 1597 2584 4181 6765
Asterisk+SIP+Ekiga is not a good replacement for Skype:
Add to this that Skype has existed for a large number of years (5 years is "long" in "internet time") and it's not exactly known as a big medium for spreading viruses, hack attacks, etc. and you'll realize that security through obscurity actually can work. Of course, past trends are not indication of future behaviour, but you can't argue with results.
-- Sig down
Zfone?
Encrypted calls > Ekiga.
Sorry, I love Ekiga myself, especially since it has video, but I don't want to be eavesdropped on. Which is why until Ekiga incorporates Zfone's SDK, it's Zfone all the way. The software is "open source", like PGP is "open source", but the libs and the SDK are GPL. For the program, they won't accept your contributions, and I'm not too sure if they will for the libs, either; I guess it's mostly to keep it untampered, but they should be accepting contributions for the libs and SDK...
Their encryption is pretty cool. Even the "basic" encryption works great; and the "extra" stuff is mostly just reading out a passphrase.
Because something like this will be audited if at all possible. Skype is closed, the binary is encrypted, it auto-exits in the presence of debuggers, and does various other things to prevent reverse-engineering. And, still, someone at BlackHat took it apart and found a remote vulnerability. If it were open source and popular, a lot more people would be poking it for holes.
More important than open source, here, is open standards. In an open standard, lots of cryptographers will look at the protocol for holes without considering the implementation details, and lots of others will look for holes in specific implementations. Implementation-related holes (such as the heap-overflow exploit in Skype) will not affect as many people, because there will be competing implementations and not everyone will be locked in to a single provider. If the hole is in the protocol (and allowing a midpoint to intercept the conversation is a hole in the protocol) then it is more likely to be found if the protocol is subject to peer review, which things like SRTP (which SIP can run on top of) have been.
I am TheRaven on Soylent News
Not even the central server would be necessary .. there is work underway on p2p version of SIP called p2psip.
FreeSWITCH (www.freeswitch.org) is completely open, is MPL licensed and supports TLS & SRTP. Make sure you get the right phone with the right firmware because not all phones properly support TLS & SRTP. Ask in the #freeswitch irc channel on freenode.net or the FreeSWITCH mailing list which phones are known to work.
Asterisk has support for TLS in their development tree. Afaik their SRTP support is an untested patch in the bugtracker. At this point in time Asterisk does not seem to offer a working, stable TLS & SRTP solution.
A quick search revealed a bunch of companies. Here are some:
http://sipnumber.com/
http://www.ipkall.com/
http://www.freedigits.com/
Those are free services. The last one seems to have problems, though. :)
Paid services exist, too. Just google it
It's a fragment of Orwell's 1984. http://www.orwelltoday.com/how.shtml
If I remember correctly there is at least two solutions to that.
ZRTP are one.
http://swik.net/encryption+sip
http://en.wikipedia.org/wiki/ZRTP
Try OpenWengo. It works as well as Skype. It is encrypted with the "NG release", available now. The download page says "secure PC-to-PC calls". See this discussion about encryption. It's Open Source. Linux, Mac, and Windows.