Slashdot Mirror
More Skype Back Door Speculation
An anonymous reader writes "According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations."
I don't use Skype (or VoIP for that matter) but I would be curious if anyone knows of any alternatives that is completely open.
I asked the internet, she donned her Stupomitron Helmet, et voilà
"Be light, stinging, insolent and melancholy"
There are quite a number of alternatives based on the open SIP protocol. Have a look at the list: http://www.voip-info.org/wiki-Open+Source+VOIP+Software
It has been attempted. See "Silver Needle in the Skype" presentation at http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf -- The impression I got was that it was deliberately made difficult to understand by adding all sorts of checksums and encryption layers.
The code is heavily obfuscated to prevent reverse engineering (encrypted code, checksums, debugger detection, all kinds of fun).
Lets find out...
/. audience that wants to bed Skype and see if it's a back door kind of program?
Do I have a volunteer from the
using an open standard is not the same thing as being "open source" or "completely open"
Two words: Network Effect. All the alternatives I have reviewed are harder than skype. Harder to download, setup, use, the list goes on.
Result: Skype is popular - they nailed delivery to the "masses". No screwing around with the microphone, NAT/firewalls, SIP providers, names etc etc. The average joe can just download and install it in just two url clicks, type in a name and begin to use it. Done deal.
All the open source VOIP (most of them SIP) I have seen completely miss this most important point, and so all their development effort is ultimately wasted - walled themselves off to the technically proficient crowd and not benefiting from the network effect.
Nothing wrong with Skype,
Except that it might have a backdoor... which was kind of the point of this article in the first place.
Why must EVERY conversation on privacy boil down to a few tired questions about "open source" alternatives ?
Because open source alternatives shouldn't have backdoors. And if it does they can be identified and closed. The only reason the conversation is tiresome is because proprietary software seems to have a perpetual stream of backdoors that keep keep bringing it up.
What, like if the source code is open, then that will prevent backdoors ? Erm hello, the client software isn't the problem, it's the network of Skype servers the bloody data passes through that is the weak point in the equation.
Nobody intelligent is asking for an oss skype client. They are asking for an oss replacement to the entire skype service. For precisely the reason you stated.
So who do you trust more with your privacy ? A multi million dollar company, or some nerd in his moms basement, acting as a VOIP connectivity server.
If that nerd is just hosting as a connection service, and the voip data stream itself is end-to-end encrypted and is actually transmitted directly to the recipient, then I trust the nerd in the basement more, because he never even sees the stream, and even if he did, its encrypted.
At least as long as I know I'm -really- using the public key of the called party to encrypt it, that is. But that is biggest weakness of almost all internet uses of encryption.
In my case, I'd chose option "none of the above", but really ... open source is not the answer to ALL the worlds ills.
Not all of them. But it is the answer to this one.
Because something like this will be audited if at all possible. Skype is closed, the binary is encrypted, it auto-exits in the presence of debuggers, and does various other things to prevent reverse-engineering. And, still, someone at BlackHat took it apart and found a remote vulnerability. If it were open source and popular, a lot more people would be poking it for holes.
More important than open source, here, is open standards. In an open standard, lots of cryptographers will look at the protocol for holes without considering the implementation details, and lots of others will look for holes in specific implementations. Implementation-related holes (such as the heap-overflow exploit in Skype) will not affect as many people, because there will be competing implementations and not everyone will be locked in to a single provider. If the hole is in the protocol (and allowing a midpoint to intercept the conversation is a hole in the protocol) then it is more likely to be found if the protocol is subject to peer review, which things like SRTP (which SIP can run on top of) have been.
I am TheRaven on Soylent News
Oh, for the good old days, when you actually needed a warrant.
Now they just get your packets to route across a border, and then can listen in at will [if you're not in the US].
If you do happen to live in the US, they just declare [as in, speak into the air] "This person is obviously an terrorist, an enemy combatant not in an official uniform, therefore, I can listen to all their phone calls.". Then the phone and/or VOIP company is required to permit the wiretap. This used to require a photocopied letter, but those were just too much of a hassle to carry around...
Sleep your way to a whiter smile...date a dentist!
Therefore, if the Chinese have no problem with Skype, Skype must have a back door.