Slashdot Mirror
More Skype Back Door Speculation
An anonymous reader writes "According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations."
Unless you think it's a good thing that some people can snoop on others conversations, this should be a really good reason to embrace free software.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
I know it's tedious work, but some people actually seem to like it. Isn't it time that people disassemble these suspected binaries in order to issue a report on the matter? Not only on Skype, but on many other suspected programs, libraries and operating systems?
All you have to know to monitor someone's Skype is their password. Login with Skype on another machine, set status to invisible. Anything they type or receive in chat you receive.
1. For IM: Jabber (non-US server) + OTR Plugin + Tor. ... and we don't do waterboarding here) (I hope)
2. For everything else (email/vpn/storage) services as provided by www.xerobank.com will do you good.
3. TrueCrypt Full Drive Encryption. (Check your local laws - under Dutch law they cannot force me to give up the passwords
You can be sure that these people are also trying to:
You can be equally certain that they are not doing it right and that the backdoors they are trying to put in make your system less secure.
Running open source software is your best bet, but even there, you aren't completely protected.
Assume all communication that uses any kind of monitorable infrastructure is bugged. The capacity is there, and the desire is there.
It is the way of things.
-- http://frobnosticate.com
If you think of alternatives, you'd expect them to fulfill the same specifications. One of the specifications when switching off the Skype is being able to actually contact other people. Try talking the Average Joe about ie. Ekiga, open source VOIP client. What will happen? You will get that sheepish look and question: "Why would I install that, I already got Skype. BESIDES EVERYONE I KNOW USE SKYPE AND I COULDN'T CALL THEM ANYMORE".
Such are network effects. There is no alternative for Skype for the specific reason. The alternative should be 100% Skype protocol compatible. (Good luck with that, with the patented codecs alone.)
This is going to be a problem with any so called "secure" communication system that relies on source secret clients and unpublished protocols.
There are many ways to build such clients to "assist" external intercept, since they often have to first communicate with some central server to locate users. They could for example have a command that forces the client to always route back through the server (like they do for NAT), and use a simple data transformation rather than full encryption so casual packing snooping makes it "appear" encrypted when it is actually not.
They might also have flaws in their implimentation, particularly with key exchange, that allows an invisible man in the middle. The ZRTP stuff developed by Phil Zimmerman that we use in GNU Telephony secure calling uses extra steps to compute a sas to validate there are not fake public session keys given out by a man in the middle, for one example of how such flaws can effect otherwise "secure in appearence" systems.
Of course, even secure peer-reviewed protocols and foss clients do not gaurantee security. For example, one can tether a bunch of ZRTP softphones to an Asterisk server using PBX enrollment, but this enables and requires said server to decrypt all traffic as it passes through, as it acts as a "trusted" man-in-the-middle.
In the end, the best solution, even with ZRTP, remains using pure peer-to-peer (end-to-end) media connections, and when needed transparent proxy media exchange; the latter for dealing with NAT. In ZRTP, sas negotiation assures any such proxy used for NAT "remains" transparent.
In the case of Skype, source secret clients that can report false call information and source secret protocols are a clear recipe for disaster.
Very few people on the Internet use it. Most SIP usage is either on private networks (e.g. intra-company) or bridged to POTS at the far end.
I am TheRaven on Soylent News
Two words: Network Effect. All the alternatives I have reviewed are harder than skype. Harder to download, setup, use, the list goes on.
Result: Skype is popular - they nailed delivery to the "masses". No screwing around with the microphone, NAT/firewalls, SIP providers, names etc etc. The average joe can just download and install it in just two url clicks, type in a name and begin to use it. Done deal.
All the open source VOIP (most of them SIP) I have seen completely miss this most important point, and so all their development effort is ultimately wasted - walled themselves off to the technically proficient crowd and not benefiting from the network effect.
Why must EVERY conversation on privacy boil down to a few tired questions about "open source" alternatives ?
What, like if the source code is open, then that will prevent backdoors ? Erm hello, the client software isn't the problem, it's the network of Skype servers the bloody data passes through that is the weak point in the equation.
So who do you trust more with your privacy ? A multi million dollar company, or some nerd in his moms basement, acting as a VOIP connectivity server. In my case, I'd chose option "none of the above", but really ... open source is not the answer to ALL the worlds ills.
Why must EVERY conversation on privacy boil down to a few tired questions about "open source" alternatives ?
Because open source alternatives shouldn't have backdoors. And if it does they can be identified and closed. The only reason the conversation is tiresome is because proprietary software seems to have a perpetual stream of backdoors that keep keep bringing it up.
What, like if the source code is open, then that will prevent backdoors ? Erm hello, the client software isn't the problem, it's the network of Skype servers the bloody data passes through that is the weak point in the equation.
Nobody intelligent is asking for an oss skype client. They are asking for an oss replacement to the entire skype service. For precisely the reason you stated.
So who do you trust more with your privacy ? A multi million dollar company, or some nerd in his moms basement, acting as a VOIP connectivity server.
If that nerd is just hosting as a connection service, and the voip data stream itself is end-to-end encrypted and is actually transmitted directly to the recipient, then I trust the nerd in the basement more, because he never even sees the stream, and even if he did, its encrypted.
At least as long as I know I'm -really- using the public key of the called party to encrypt it, that is. But that is biggest weakness of almost all internet uses of encryption.
In my case, I'd chose option "none of the above", but really ... open source is not the answer to ALL the worlds ills.
Not all of them. But it is the answer to this one.
What keeps me with Skype is that I can have US telephone number. So no matter where I am my friends and family can call me.
If there was another service which allowed me to have a US telephone number for incoming calls and let me call any other POTS number I'd use it.
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
This is quite true, which speaks even more strongly for an encrypted RTP stream for VoIP communications. Problem is, if it terminates to a POTS connection anywhere, or you're going through a provider that's subject to CALEA, you're still pretty much hosed. You need to be have an end-to-end encrypted connection with trusted devices/software on each end to be assured of privacy.
Please stand clear of the doors, por favor mantenganse alejado de las puertas
Therefore, if the Chinese have no problem with Skype, Skype must have a back door.
The only downside is that there isn't any encryption, so it'd be pretty trivial to bug.
I'd say that's a pretty huge downside, given the context in which the question was asked!
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
Speaking into the air was the good, old days, isn't it? Wasn't the point of the FISA bill to indemnify the phone companies for past, present and future uses of the permanent listening posts they have built into their facilities in order to better protect our glorious fatherland?
With Skype, I always figured when it was Estonian, who knew? When it was Ebay, we knew.