Slashdot Mirror
Skype Messages Monitored In China
Pickens writes "Human-rights activists have discovered a huge surveillance system in China that monitors and archives Internet text conversations sent by customers of Tom-Skype, a joint venture between a Chinese wireless operator and eBay. Researchers say the system monitors a list of politically charged words that includes words related to the religious group Falun Gong, Taiwan independence, the Chinese Communist Party and also words like democracy, earthquake and milk powder. The encrypted list of words inside the Tom-Skype software blocks the transmission of these words and records personal information about the customers who send the messages. Researchers say their discovery contradicts a public statement made by Skype executives in 2006 that 'full end-to-end security is preserved and there is no compromise of people's privacy.' The Chinese government is not alone in its Internet surveillance efforts. In 2005, The New York Times reported that the National Security Agency was monitoring large volumes of telephone and Internet communications flowing into and out of the United States as part of an eavesdropping program that President Bush approved after the Sept. 11 attacks. 'This is the worst nightmares of the conspiracy theorists around surveillance coming true,' says Ronald J. Deibert, an associate professor of political science at the University of Toronto. 'It's "X-Files" without the aliens.'"
Writing through a scribe over Skype from mainland China, I can confidently say that messages about Falun Gong are not being
Is crushing a suspect's child's testicles illegal?
John Yoo: "No, [if] the President thinks he needs to do that."
All the others contained references to dehydrated breast fluids.
Finally had enough. Come see us over at https://soylentnews.org/
...the last thing to trust is closed source implementation or even worse, proprietary protocol.
though I think real paranoid people won't trust something like Skype, right?
How is it we have 4 engies and only 1 sentry?
I use Skype to communicate with friends in the US, and to discuss politics. I am appalled to read of this invasion of privacy.
Hold on, someone is at the door...
CHINA IS A GREAT NATION THAT WOULD NEVER INVADE MY PRIVACY. THIS ARTICLE IS UNFOUNDED AND BIASED.
This is also an argument in favor of using open source software. I've been dubious in the past about claims that closes-source vendors couldn't be trusted, but apparently I was being naive.
Sounds like the FSF got this one right.
Comparing the Chinese program to the program by the NSA is completely disingenuous. They have they only similarity that they involve surveillance. That is where the similarities stop.
The NSA program was designed to listen in on US citizens talking to people on a known terrorist list. One part of the conversation was always international and one part was domestic. Telephone conversations are two ways and you kind of need to here both side to know what is going on. Now was this illegal? Maybe. Should it have happened? That's up in the air. The program was supposedly done to protect the US Citizens from another terrorist attack.
Compare and contrast this with the Chinese Program. This program exists to control the thoughts of the Chinese people. It censors them and prevents the flow of information. Then it reports on them simply because they are talking about things which in the United States are completely legal to talk about but in China are completely illegal to talk about. China has no freedom of speech. Their every move is watched to control them online. They aren't trying to track terrorists here. They are trying to play mind control. They are trying to censor the publics thoughts.
We already know that it's possible to listen in on Skype conversations. Is it any stretch of the imagination that China would be doing it?
The encrypted list of words inside the Tom-Skype software blocks the transmission of these words and records personal information about the customers who send the messages.
Don't tell me they're encrypting the text word-by-word.
Help a man when he is in trouble and he will remember you when he is in trouble again.
There are a couple of messaging softwares that use encryption. People tend to simply not care in the west about things like Tor, Freenet, I2P and encryption options in text messaging but if more scenarios that are NOT linked to child porn arise, maybe people will start to consider the more legitimate reasons to fight for our right to privacy?
I believe we need more crypto-anarchists in this world. Where are the cypherpunks when we need them?
Once again: Stallman was right. It's a trap!
What do you expect when the NSA is the phone company?
Echelon anyone?
If you have something that you dont want anyone to know, maybe you shouldnt be doing it in the first place -Eric Schmidt
'This is the worst nightmares of the conspiracy theorists around surveillance coming true,'
No. The worst nightmare would be when this comes true and no one cares.
So, we have an interesting report about China,.
Then, for no intelligent reason, a trroll about a US story that has been hashed, rehashed, and corned beef hashed to death, in an obvious attempt to draw some kind of moronic equivalence.
Submitter is a troll.
Either open-source the Skype engine or abandon it.
Skype devices could still be manufactured only under license, so their profit stream wouldn't dry up. No doubt it's all trademarked and copyrighted and patented to hell and back by the company anyway, so open-sourcing wouldn't be giving free reign to the competition.
But if they want to retain a trusting customer base, the only option now is to open-source the Skype engine and protocol, otherwise it's end of game.
I'll certainly be letting all my friends know about this. While they may be discussing only granny's Xmas presents or their boyfriends' vital measurements, it's no business of the snoop agencies to hear it.
Meanwhile, it's not as if VoIP didn't have any open alternatives. There is no need to support a vendor that cannot be trusted.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
well. if they monitor the internet usage of the average slashdotter then they'll go blind, I'm sure.
honestly, did anybody seriously think this was *not* happening?
I won't end the friendship yet, digitus (just in case you survive the beating) but ... this article would be news if the title read, "Skype *not* monitored in China!" because China is a dictatorship and therefore you need to expect they monitor everything that everyone is doing to ensure it's in line with the dictator's wishes. What kind of dictatorship would it be if they didn't monitor everyone? It'd be a chaotic dictatorship! It helps to know what's going on when scheduling executions and public beatings. I would be far more concerned if these types of occurrences were arbitrary!
The dangers of knowledge trigger emotional distress in human beings.
According to the Skype Blog, this is a text filter that only applies to TOM-Skype. If you use regular Skype, or if you use Skype or TOM-Skype for voice (rather than text) communication, you are still secure.
Yeah, I know... I don't trust them either. But even the NYT article didn't uncover any snooping of the actual voice calls (although the phone numbers and names of those involved in the call [b]were[/b] being recorded.)
I tried using Zfone with Gizmo a year or two ago, since I trusted the inventor of PGP to provide a better security solution than Skype's proprietary secret encryption. Unfortunately (at least at that time), the voice quality and ability to handle NAT wasn't as good in Gizmo as it was in Skype. Wonder if they've improved it yet?
Wake me when a real journalist reports on it.
Or they selectively care based on whether "their" party is in power or not.
Please send my agency the list of IP addresses, indexed by user-name, linked to the comments users have posted here in response to this article about online privacy. If you could export it to Excel, my analysts would much appreciate it. I promise not to abuse this information and will use it only to help identify and track enemies. By the way, my organization is considering advertising on your website.
http://afp.google.com/article/ALeqM5iD_wQwD-Ra3ADqTfFRGr1thY8aTA
Seems that the problem was not buggy crypto, but their communist partner company. Should avoid these.
> If you use regular Skype, or if you use Skype or TOM-Skype for voice
> (rather than text) communication, you are still secure.
Following up on my own comment, I should point out that you are not secure if you are having a text chat with someone who uses TOM-Skype, even if you yourself use the regular Skype.
Well, that just goes to show you how much better I am than all of you because I use NoScript! Stupid commoners!
Wait, what's this story about, again? Encryption? Oh, right, right, I meant to say OTR. Yeah, that's it. OTR. I'm better than you.
Here is some information on Bavarian police interception of Skype. http://www.wikileaks.org/wiki/Skype_and_SSL_Interception_letters_-_Bavaria_-_Digitask
I wish the tubes were free and secure, but they are not and never will be. Telephone lines never were either, snail mail too ... pile up all the law and activism you want against wire tapping, it's not gonna change and if you believe them when they say it has changed ... well, that's your own fault.
How do you know that? That's what they say, but how do you know that?
Was the program under some kind of oversight outside of the executive branch? No. Are the details of the program publicly available? No.
You don't actually know how the NSA program compares to the Chinese one. You just hope that's the way it is.
Prudent individuals should assume that all of their actions, transactions, and speech are being monitored and recorded, either passively by devices that are coincidentally nearby, or actively by individuals and organizations that are collecting data for some particular purpose. They should also assume that the records will last forever, at least for practical purposes, and will likely become public at some point.
Too paranoid for you? OK. Ignore me.
Har...
A communist from the West decides to move to USSR. He explained to his friends that he would write letters to them. Worried about freedom of mail, he explained them that if he writes anything in red ink, that would mean that reality is opposite from the written.
He moves there, and after a while, the first mail finally arrives. It says: "Everything is great here in USSR. People are happy, wealthy, there is a lot of everything in stores, freedom is enormous. The only problem I have seen here is that you cannot buy any red ink."
No sig today.
'It's "X-Files" without the aliens.'
come on, GWB is an alien.
Milk Powder... huh?
"Yes, I have a Disaster Recovery Plan. It's called my Resume"
I find it amusing that people are shocked by this. It must be because China makes everything now. I guess a lot of people forget it is a totalitarian communist country.
That would be THIS NEWS.
You don't get, uh, Google News down there?
you had me at #!
Welcome to America!
He's just a dangerously stupid, uncivilised and corrupt figurehead (per Occam's Razor.)
you had me at #!
June 2006: http://recon.cx/en/f/vskype-chinese-blacklist.7z
which comes from
http://recon.cx/en/f/vskype-part1.pdf
http://recon.cx/en/f/vskype-part2.pdf
(more goodies about this on http://recon.cx/en/f/)
which are a sequel of the more known
https://www.secdev.org/conf/skype_BHEU06.handout.pdf
Is Yahoo! better? Google's? Does it matter who hosts the hub, or do we have to have our own IM servers out there to communicate completely securely?
I see things like X-IM (http://x-im.net/protocol.asp), but is anyone checking the source to ensure client-to-client comm is secure as advertised? No back doors?
Does anybody have a run down?
My favorite quote doesn't fit into 120 characters. Now no one will like me.
[Todayâ(TM)s Financial Times posted a story](http://news.ft.com/cms/s/875630d4-cef9-11da-925d-0000779e2340.html) about how Skypeâ(TM)s partner TOM Online is filtering text messages in China.
Skype has a joint venture with TOM Online. As part of that venture, we provide a co-branded version of Skype called TOM-Skype, which is the version of Skype that is available in mainland China.
As part of the joint venture, TOM provides guidance to Skype about how to co-operate with local laws and regulations in China. In every country we operate in, we always work with local authorities to follow local laws and best practice.
TOM operates a text filter in TOM-Skype. The filter operates solely on text chats. The filter has a list of words which will not be displayed in Skype chats.
The text filter operates on the chat message content before it is encrypted for transmission, or after it has been decrypted on the receiver side. If the message is found unsuitable for displaying, it is simply discarded and not displayed or transmitted anywhere.
It is important to underline:
* The text filter does not affect in any way the security and encryption mechanisms of Skype.
* Full end-to-end security is preserved and there is no compromise of peopleâ(TM)s privacy.
* Calls, chats and all other forms of communication on Skype continue to be encrypted and secure.
* There is absolutely no filtering on voice communications.
Maybe I'm missing something, but is this necessarily evidence that the Skype client and transmission are not themselves secure? The third link indicates that TOM-Skype uses TOM-specific client software that does the filtering (which Skype knew about). Isn't it likely that that software is also what's squealing to the monitoring system (which Skype apparently didn't know about) despite the supposed end-to-end security of the actual transmission over the Skype protocol? Is there any evidence that the monitoring is going on during the transmission, rather than this being a case of the TOM software phoning home separately?
I'm not suggesting that the Skype client should be trusted even outside of China—if it's closed-source, it might as well not encrypt anything at all—and this story certainly seems to cast additional doubt on it. But nonetheless, couldn't the foul play here be limited to the "TOM" side of TOM-Skype?
He really should have stocked up before he left. There is LOTS of red ink here.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
...Apparently, 166,000 messages were logged in two months. 88,000 messages/month.
Ebay said that the lack of security that allowed the monitoring to be uncovered was the problem and affirmed their concerns for the privacy of their users (then why did they LOG their messages to begin with?):
the company spoke to the accessibility of the messages, not their monitoring. The security breach does not affect Skypes core technology or functionality, she said. It exists within an administrative layer on Tom Online servers. We have expressed our concern to Tom Online about the security issue and they have informed us that a fix to the problem will be completed within 24 hours. EBay had no comment on the monitoring.
Yeah...tough to justify logging messages, dates, IPs and phone numbers when keywords like "milk powder" or "earthquake" were used and providing them to the chinese government.
It seems the logging was done client-side. Skype is p2p based so this might have been their only option.
At least in the US, Skype is legally *required* to provide CALEA-style law-enforcement interception capabilities. You can open source it and they'll still have to do that, like any other VoIP service would.
Did he say "people's privacy" or "The People's privacy?"
The former would indicate individuals, while the latter would indicate the collective, happy body of people of the PRC who have no need of privacy from their comrades in the government.
a list of politically charged words that includes words related to Falun Gong ... the Chinese Communist Party ... the Tom-Skype software blocks the transmission of these words
So Skype believes either (1) nothing bad would be said about FLG and nothing good would be said about CCP; or (2) FLG and CCP are in fact allies and both are cults.
Except, even IF you could comb through the code, it doesn't mean that at some higher level your security isn't compromised.
I run a VOIP server and it's ridiculously easy to monitor everything going through it despite a TLS initiated client-server session.
No, sorry no.
End-to-end has nothing to do with those application that provide some toy-protection by securing communication with the server (like IMAPS or SSL protection in stock MSN).
End-to-end means that the whole traffic is encrypted between both *end points*. A direct channel going from my software on my computer, all the way to your software on your computer. Every one else along the chain only sees crypted garbage.
You can't spy an End-to-end encrypted traffic (I mean you can record packets, but you can't understand them). If any one attempts a man-in-the-middle attack (at the server, for example), both end points will see the wrong encryption certificates. (Each end of the communication will see the middle-man's certificate, not the original one).
You could compromise the system :
- at the key exchange step the first time 2 previously unknown people get in touch (if you manage to trick each one into thinking that the key they recieved from *your* the first time they did exchange the key were their keys).
- at the end point of the communication. If something is compromised at the exit of the secure channel, no matter how the channel itself is secure.
The system could be root-kited, or the software could be not trustworthy.
How you find and trust VOIP peers is where that ideas falls apart
Building a chain of trust which tops at meeting the first key persons in real life in order to exchange keys (that as that portion of communication is secured, you can obtain further security tokens from other persons).
Or at least using a separate better trusted channel to confirm the keys' hashes.
Another idea is to encrypt/decrypt the data on the client.
Been done since ages on opensource implementations of IM clients. "Off the Record" is currently a very popular application, running on Pidgin (plugin), Adium (out-of-the-box) and several others, and functioning as a layer above the message protocol.
(If both end points are running OTR, when you type a message in your client, the plugin converts it into a cyphered text. Then that message is sent using the classical route of whatever protocol you use underneath (MSN, Jabber, Whatever), the client at the other end receive it too, and its plugin decrypts the message back before displaying it, check also if the encryption key matches.
Regadless of what is the network used, the message that transist is only something looking like line noise. Microsoft's MSN server could log it, its still meaningless.)
Encrypting the audio portion of the UDP packets would be very problematic
Been done for ages too. You should google around for ZRTP (by nothing less than the author of PGP). Supported in several project, including the open source Twinkle, support comming in Ekiga next major release too. Nothing problematic.
Running your own communications server is good too.
...as long as you use end-to-end encryption between the people.
or at least as long as everyone exclusively use secure communications from/to the server.
(but then, *they* shouldn't trust it as they don't control what's happening on the server)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Ignoring MITM attacks
Ignore it at your peril.
The skype method of providing communication establishes a permanent a man in the middle. Now, they did it in the beginning to provide exceptional voice service by eliminating NAT and other issues. If you have a decent set of networking tools, you will see the number of connections opened by their client far exceeds a similar VOIP compliant call.
you don't need to trust anything in the middle
You do need to trust what's in the middle because the actual words/audio aren't encrypted to the server. See below illustration.
skypeclient1 --- SkypeServices --- skypeclient2
For those three parties, the voice/text data isn't encrypted. If a bad guy tried to jump in the middle of those three parties after the sessions are created, then yes there is encryption. Any agency would simply listen on the server providing Skype services.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
A good start would be AIM/Jabber/* video conferencing protocols using encryption and open source.
Already exists.
It's a plugins called Off the record which is supported in Pidgin (plugin), Adium (out of the box) and several other softwares (including as a stand alone proxy - although slightly less secure : it's still vulnerable to a binary client backdoor).
It doesn't break or change the protocol.
Instead, it works one layer above, encrypting messages before sending them and decrypting them after receiving them.
Indeed it works even with non open protocols, as long as Pidgin/Adium are able to communicate (could be used over MSN or FaceBook).
In those protocols, the server helps you figure out the IP of the person you want to talk to, but otherwise doesn't see the messages (except in AIM for text messages when the user is offline).
With encryption-as-an-additional layer, it doesn't matter if the server sees the messages or not.
What the server will see is a message containing only garbage (base64 or line-noise like). Only after going through the plugin to these message mean something.
Plus, OTR keep track of signatures and alerts if hashes sudenly don't match (if someone is trying a man in the middle attack).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
The US taps phone calls in an attempt to uncover evidence of violent crimes, to prevent them from happening, and to prosecute and jail those responsible.
And the US intelligence and law enforcement agencies - at all levels and over essentially all time - have a long track record of misusing their investigations for suppressing political enemies, both individual and movements.
This happens over and over and over. (For starters look at the FBI for a number of examples, including J. Edgar Hover's political blackmail files and the COINTELPRO program.) It normally comes to light only a decade or more later, because it happens in secrecy and is only discovered through chance or later examination of records. So it always looks like "It used to be that way but we've cleaned it up now."
You have to keep a tight rein on the government at all times because such power will ALWAYS be misused.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
55555
I wouldn't bothering arguing it is a typical left wing rhetorical trick called the Tu Quoque fallacy. Rather than actually discuss the issue (phone tapping China), they'd prefer it if we shifted the burden of proof onto the "main enemy" aka the USA.
Don't worry comrade. It'll be a glorious egalitarian utopia when Obama is voted in where phone tapping is replaced with rainbows and guns with chocolate (see ain't Tu Quoque fallacy fun?).
If we're talking the NSA program to secretly mass-monitor electronic communications of US citizens **whether or not** they're guilty, and with no judicial oversight - this program was actually approved by Bush **right after he got into office in January 2001**.
http://www.truthout.org/article/jason-leopold-bush-authorized-domestic-spying-before-911
Declassified doc showing that's the case, here: http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB24/nsa25.pdf
This is an easy mistake to make - because whenever this program is mentioned, it's always deliberately mentioned in the context of 9/11, and mentions changes made after 9/11. But that is all spin.
It's a shame that we have to look that far into the details to find out when a program was started - but with this administration we apparently do.
And as a side note, it's important to know that this was started well before 9/11 - because it also proves it did nothing to stop the 9/11 attacks. This is more proof that this kind of mass warrantless eavesdropping with no oversight doesn't even make us safer from terrorists - it only puts us in more danger from our government.
Posting this note to the original article also.
The Invisible Hand of the Free Market is what punches workers in the nuts.
It's "X-Files" without the aliens.
Oh, there are aliens already. They're just using their fancy surveillance technology to hide from us.
Damn hairy wookies!
Guess I should discuss my two favorite activities, titties and cocaine, separately on my next visit to China.
.
The source code doesn't tell you what resources the NSA or the Chinese can bring to the problem.
You control a single node or super node.
Your adversary controls ten thousand nodes or super nodes - whatever it takes to insure that almost nothing moving across the net escapes their eyes.
So it is X-Files!
When this ebay/skype deal went down I mentioned here on SD that is was just a way to get skype into the hands of a company under US jurisdiction. Take that a step further: Put it into the hands of a company that can be bought. I got modded interesting +3 before -- now maybe I will get +5
There, fixed that for you.
I do and have used encryption. Being the geek that I am I enjoy using it too - however - my non-geek friends and family (which is just about everyone I know and work with) cannot be bothered with it. It would be nice if email/im clients and such actually *implemented* encryption by default. Unfortunately most of the software that non-geeks would use do not use encryption by default and it's a real PITA for most people to implement it.
'This is the worst nightmares of the conspiracy theorists around surveillance coming true,' says Ronald J. Deibert, an associate professor of political science at the University of Toronto. 'It's "X-Files" without the aliens.'"
How does he know it's without the aliens?
The higher the technology, the sharper that two-edged sword.
If people feel like their privacy is being invaded or violated, or if they simply don't like other people listening to their conversations, they should simply employ the good old distributed overload attack, aka DOA. It goes something like this: every time you have a conversation on the phone, skype, what-have-you... make sure to have a quick one or two sentence 'aside' about something you're sure is on one of those "lists of bad words to look for". For example, in China, just as you're about to say good bye and hang up, say instead "So you know, I drank some of that tainted milk at the Falun Gong meeting last week when I was in the Independent Republic of Tibet, ok ttyl bye". And there we go, once 1b people start doing this, I don't think there are ever gonna be enough computers to filter everything out. Even if I am wrong and there will be enough computing power, as the budget for these sort of activities swells under the DOA sooner or later the politicians will realize that it's a silly thing to do anyway.
If something CAN be done, it WILL be done.
http://tech.slashdot.org/tech/08/07/26/152239.shtml
Closed software cannot be trusted. Personally, I had taken a somewhat naive, optimistic view regarding the makers of Skype, who were admittedly secretive but consistently maintained that their software "contains no malware".
We now know for a fact that this is a direct falsehood.
I'm putting another few bucks into the "put voice-chat into Pidgin" fund now.
No no, you're thinking of red tape.
If you got this problem with skype, then you probably have a direct link with social security number to the PSB in tencents QQ.
For example, both countries through people who try to oppose the current rulers in jail. This explains why pro-Democracy activists are jailed in China and why Obama and Biden are jailed in the US. Um... wait a minute... something's wrong there. Can you explain things again so I understand why the US and China are the same?
No... you see the spooks in China are trying to prevent the people of China from exercising political power and the replacement of the current party in power with any other party. The spooks in the US are trying to prevent violent attacks. They aren't involved in preventing the replacement of the current party in power with any other party and the people of the US do exercise political power, as we will all see on November 4. It's the difference between a democracy and a totalitarian dictatorship. T