Slashdot Mirror
More Skype Back Door Speculation
An anonymous reader writes "According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations."
I don't use Skype (or VoIP for that matter) but I would be curious if anyone knows of any alternatives that is completely open.
I asked the internet, she donned her Stupomitron Helmet, et voilà
"Be light, stinging, insolent and melancholy"
There are quite a number of alternatives based on the open SIP protocol. Have a look at the list: http://www.voip-info.org/wiki-Open+Source+VOIP+Software
http://en.wikipedia.org/wiki/Gizmo5 says that the client is proprietary software. Are you talking about some other client with the same name?
It has been attempted. See "Silver Needle in the Skype" presentation at http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf -- The impression I got was that it was deliberately made difficult to understand by adding all sorts of checksums and encryption layers.
I read a good presentation by people that had tried to disassemble Skype, and basically, Skype do so much to make it very, very difficult. Here's a PDF version of it.
If it was easy, someone would have done it by now, and made Gnype, don't you think?
Get your own free personal location tracker
I don't use Skype (or VoIP for that matter) but I would be curious if anyone knows of any alternatives that is completely open.
For Linux there's a decent program called I Hear You (IHU), very simple program, GPL-licensed etc., you can find it at http://ihu.sourceforge.net/
An alternative to what? To Skype? To the PSTN? Software running on a PC is always going to be a poor solution, and is far from your only option for Internet voice communication. You do NOT need some app on your PC to do VoIP. What you want is something called an ATA - its a little box that has a jack for a regular phone, and an ethernet port. They are often supplied with service such as Vonage, but are usually 'locked' down to that provider. You can also but them directly, but you will of course still need 'something else' to initiate SIP connections to. For information about real VoIP networks (both net-to-net, as well as PSTN interconnection), visit voip-info.org
From the wikipedia link you gave:
"Unlike its competitor network Skype, the Gizmo5 network uses open standards for call management, the Session Initiation Protocol and Jabber."
Not a Twitter sockpuppet... but I wish I was.
using an open standard is not the same thing as being "open source" or "completely open"
Several orders of magnitude more daily minutes are done with SIP than Skype. SIP is used for corporate networks and calling card providers and lots of other situations.
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
I found Ekiga pretty straight forward to get working. Not two clicks, for sure, but you are led through all the necessary steps by the nose.
And the network effect no longer applies if Ekiga users can call Skype users (And they can).
"Be light, stinging, insolent and melancholy"
Because something like this will be audited if at all possible. Skype is closed, the binary is encrypted, it auto-exits in the presence of debuggers, and does various other things to prevent reverse-engineering. And, still, someone at BlackHat took it apart and found a remote vulnerability. If it were open source and popular, a lot more people would be poking it for holes.
More important than open source, here, is open standards. In an open standard, lots of cryptographers will look at the protocol for holes without considering the implementation details, and lots of others will look for holes in specific implementations. Implementation-related holes (such as the heap-overflow exploit in Skype) will not affect as many people, because there will be competing implementations and not everyone will be locked in to a single provider. If the hole is in the protocol (and allowing a midpoint to intercept the conversation is a hole in the protocol) then it is more likely to be found if the protocol is subject to peer review, which things like SRTP (which SIP can run on top of) have been.
I am TheRaven on Soylent News
Not even the central server would be necessary .. there is work underway on p2p version of SIP called p2psip.
FreeSWITCH (www.freeswitch.org) is completely open, is MPL licensed and supports TLS & SRTP. Make sure you get the right phone with the right firmware because not all phones properly support TLS & SRTP. Ask in the #freeswitch irc channel on freenode.net or the FreeSWITCH mailing list which phones are known to work.
Asterisk has support for TLS in their development tree. Afaik their SRTP support is an untested patch in the bugtracker. At this point in time Asterisk does not seem to offer a working, stable TLS & SRTP solution.
A quick search revealed a bunch of companies. Here are some:
http://sipnumber.com/
http://www.ipkall.com/
http://www.freedigits.com/
Those are free services. The last one seems to have problems, though. :)
Paid services exist, too. Just google it