Slashdot Mirror
More Skype Back Door Speculation
An anonymous reader writes "According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations."
Unless you think it's a good thing that some people can snoop on others conversations, this should be a really good reason to embrace free software.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
I don't use Skype (or VoIP for that matter) but I would be curious if anyone knows of any alternatives that is completely open.
I asked the internet, she donned her Stupomitron Helmet, et voilà
"Be light, stinging, insolent and melancholy"
So you mean the times we spent talking about CP and Terrorism were bugged?
Ah, shit.
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
There are quite a number of alternatives based on the open SIP protocol. Have a look at the list: http://www.voip-info.org/wiki-Open+Source+VOIP+Software
http://en.wikipedia.org/wiki/Gizmo5 says that the client is proprietary software. Are you talking about some other client with the same name?
It has been attempted. See "Silver Needle in the Skype" presentation at http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf -- The impression I got was that it was deliberately made difficult to understand by adding all sorts of checksums and encryption layers.
I read a good presentation by people that had tried to disassemble Skype, and basically, Skype do so much to make it very, very difficult. Here's a PDF version of it.
If it was easy, someone would have done it by now, and made Gnype, don't you think?
Get your own free personal location tracker
The code is heavily obfuscated to prevent reverse engineering (encrypted code, checksums, debugger detection, all kinds of fun).
Lets find out...
/. audience that wants to bed Skype and see if it's a back door kind of program?
Do I have a volunteer from the
All you have to know to monitor someone's Skype is their password. Login with Skype on another machine, set status to invisible. Anything they type or receive in chat you receive.
1. For IM: Jabber (non-US server) + OTR Plugin + Tor. ... and we don't do waterboarding here) (I hope)
2. For everything else (email/vpn/storage) services as provided by www.xerobank.com will do you good.
3. TrueCrypt Full Drive Encryption. (Check your local laws - under Dutch law they cannot force me to give up the passwords
You can be sure that these people are also trying to:
You can be equally certain that they are not doing it right and that the backdoors they are trying to put in make your system less secure.
Running open source software is your best bet, but even there, you aren't completely protected.
An alternative to what? To Skype? To the PSTN? Software running on a PC is always going to be a poor solution, and is far from your only option for Internet voice communication. You do NOT need some app on your PC to do VoIP. What you want is something called an ATA - its a little box that has a jack for a regular phone, and an ethernet port. They are often supplied with service such as Vonage, but are usually 'locked' down to that provider. You can also but them directly, but you will of course still need 'something else' to initiate SIP connections to. For information about real VoIP networks (both net-to-net, as well as PSTN interconnection), visit voip-info.org
From the wikipedia link you gave:
"Unlike its competitor network Skype, the Gizmo5 network uses open standards for call management, the Session Initiation Protocol and Jabber."
Not a Twitter sockpuppet... but I wish I was.
Assume all communication that uses any kind of monitorable infrastructure is bugged. The capacity is there, and the desire is there.
It is the way of things.
-- http://frobnosticate.com
using an open standard is not the same thing as being "open source" or "completely open"
This is going to be a problem with any so called "secure" communication system that relies on source secret clients and unpublished protocols.
There are many ways to build such clients to "assist" external intercept, since they often have to first communicate with some central server to locate users. They could for example have a command that forces the client to always route back through the server (like they do for NAT), and use a simple data transformation rather than full encryption so casual packing snooping makes it "appear" encrypted when it is actually not.
They might also have flaws in their implimentation, particularly with key exchange, that allows an invisible man in the middle. The ZRTP stuff developed by Phil Zimmerman that we use in GNU Telephony secure calling uses extra steps to compute a sas to validate there are not fake public session keys given out by a man in the middle, for one example of how such flaws can effect otherwise "secure in appearence" systems.
Of course, even secure peer-reviewed protocols and foss clients do not gaurantee security. For example, one can tether a bunch of ZRTP softphones to an Asterisk server using PBX enrollment, but this enables and requires said server to decrypt all traffic as it passes through, as it acts as a "trusted" man-in-the-middle.
In the end, the best solution, even with ZRTP, remains using pure peer-to-peer (end-to-end) media connections, and when needed transparent proxy media exchange; the latter for dealing with NAT. In ZRTP, sas negotiation assures any such proxy used for NAT "remains" transparent.
In the case of Skype, source secret clients that can report false call information and source secret protocols are a clear recipe for disaster.
Several orders of magnitude more daily minutes are done with SIP than Skype. SIP is used for corporate networks and calling card providers and lots of other situations.
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
I don't think competitive code is as much of a threat as simply knowing what the code does is a threat.
I have read through a good portion of the PDF and I agree that the analysis of the breakdown and all of the measures Skype makes to conceal what it's doing are both impressive and worrisome. I suppose, perhaps, an alternative measure might be for some sort of "computing trustworthiness" scale to be created where the worst offenders (like Skype) are ranked as "potentially dangerous" until they [Skype] clears the matter up.
I suppose in the presence of such a [subjective?] scale, there would be a huge list of programs and applications deemed to be offensive in this way, but perhaps a black list such as this could be useful in attempting to get software a bit more open than it is today? After all, if you could cite an application as "2 out of 10" on the trustworthiness scale as a reason not to purchase, people might begin to take notice. I think a scale like this, whether subjective or not, would enable the technically uninterested to read these 'executive summaries' of information and make better decisions -- making it easier for the public to make more informed choices.
Would lawsuits result? Of course. But the lawsuits against RBLs once happened frequently before people decided it was better to just take measures to stay off the lists. Consumer Reports once found itself at the receiving end of legal actions and demands (and probably still does) but in the end, it's worth the effort they make as they are generally accepted as a trustworthy source. We need a Consumer Reports for software that exposes the privacy and security concerns that different software poses.
I know this stuff about Skype has given me reason to pause, but that's just me... I can sort of read and understand most of what I read here. But how about the rest of the uninformed? How can we get the point across to them?
Two words: Network Effect. All the alternatives I have reviewed are harder than skype. Harder to download, setup, use, the list goes on.
Result: Skype is popular - they nailed delivery to the "masses". No screwing around with the microphone, NAT/firewalls, SIP providers, names etc etc. The average joe can just download and install it in just two url clicks, type in a name and begin to use it. Done deal.
All the open source VOIP (most of them SIP) I have seen completely miss this most important point, and so all their development effort is ultimately wasted - walled themselves off to the technically proficient crowd and not benefiting from the network effect.
I found Ekiga pretty straight forward to get working. Not two clicks, for sure, but you are led through all the necessary steps by the nose.
And the network effect no longer applies if Ekiga users can call Skype users (And they can).
"Be light, stinging, insolent and melancholy"
If you go to the options of the Skype client under the 'Chat Appearance' settings, do have a look at the sample chat displayed. I quote:
-Does Big Brother exist?
-of course he exists. The Party exists. Big Brother is the embodiment of the party
-Does he exist in the same way as I exist?
-You do not exist
-I think I exist. I am conscious of my own identity. I was born and I shall die. I have arms and legs. I occupy a particular point in space. No other solid object can occupy the same point simultaneously. In that sense, does Big Brother exist?
-It is of no importance. He exists.
To me this is quite conclusive.
Nothing wrong with Skype,
Except that it might have a backdoor... which was kind of the point of this article in the first place.
Why must EVERY conversation on privacy boil down to a few tired questions about "open source" alternatives ?
Because open source alternatives shouldn't have backdoors. And if it does they can be identified and closed. The only reason the conversation is tiresome is because proprietary software seems to have a perpetual stream of backdoors that keep keep bringing it up.
What, like if the source code is open, then that will prevent backdoors ? Erm hello, the client software isn't the problem, it's the network of Skype servers the bloody data passes through that is the weak point in the equation.
Nobody intelligent is asking for an oss skype client. They are asking for an oss replacement to the entire skype service. For precisely the reason you stated.
So who do you trust more with your privacy ? A multi million dollar company, or some nerd in his moms basement, acting as a VOIP connectivity server.
If that nerd is just hosting as a connection service, and the voip data stream itself is end-to-end encrypted and is actually transmitted directly to the recipient, then I trust the nerd in the basement more, because he never even sees the stream, and even if he did, its encrypted.
At least as long as I know I'm -really- using the public key of the called party to encrypt it, that is. But that is biggest weakness of almost all internet uses of encryption.
In my case, I'd chose option "none of the above", but really ... open source is not the answer to ALL the worlds ills.
Not all of them. But it is the answer to this one.
What keeps me with Skype is that I can have US telephone number. So no matter where I am my friends and family can call me.
If there was another service which allowed me to have a US telephone number for incoming calls and let me call any other POTS number I'd use it.
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
Because something like this will be audited if at all possible. Skype is closed, the binary is encrypted, it auto-exits in the presence of debuggers, and does various other things to prevent reverse-engineering. And, still, someone at BlackHat took it apart and found a remote vulnerability. If it were open source and popular, a lot more people would be poking it for holes.
More important than open source, here, is open standards. In an open standard, lots of cryptographers will look at the protocol for holes without considering the implementation details, and lots of others will look for holes in specific implementations. Implementation-related holes (such as the heap-overflow exploit in Skype) will not affect as many people, because there will be competing implementations and not everyone will be locked in to a single provider. If the hole is in the protocol (and allowing a midpoint to intercept the conversation is a hole in the protocol) then it is more likely to be found if the protocol is subject to peer review, which things like SRTP (which SIP can run on top of) have been.
I am TheRaven on Soylent News
FreeSWITCH (www.freeswitch.org) is completely open, is MPL licensed and supports TLS & SRTP. Make sure you get the right phone with the right firmware because not all phones properly support TLS & SRTP. Ask in the #freeswitch irc channel on freenode.net or the FreeSWITCH mailing list which phones are known to work.
Asterisk has support for TLS in their development tree. Afaik their SRTP support is an untested patch in the bugtracker. At this point in time Asterisk does not seem to offer a working, stable TLS & SRTP solution.
Oh, for the good old days, when you actually needed a warrant.
Now they just get your packets to route across a border, and then can listen in at will [if you're not in the US].
If you do happen to live in the US, they just declare [as in, speak into the air] "This person is obviously an terrorist, an enemy combatant not in an official uniform, therefore, I can listen to all their phone calls.". Then the phone and/or VOIP company is required to permit the wiretap. This used to require a photocopied letter, but those were just too much of a hassle to carry around...
Sleep your way to a whiter smile...date a dentist!
Therefore, if the Chinese have no problem with Skype, Skype must have a back door.