Slashdot Mirror
European Crackdown On Skype "Loophole"
angry tapir writes "Suspicious phone conversations on Skype could be targeted for tapping as part of a pan-European crackdown on what law authorities believe is a massive technical loophole in current wiretapping laws, allowing criminals to communicate without fear of being overheard by the police. Eurojust, a European Union agency responsible for coordinating judicial investigations across different jurisdictions, has announced the opening of an investigation involving all 27 countries of the European Union."
Or allowing law abiding citizens to speak with their relatives in hostile countries without worry of big brother listening.
Posts not to be taken literally. Almost everything is sarcasm.
Suppose they have a way to intercept Skype calls and decrypt everything. How will they know a conversation like "Aunt Emma's cat had seven kittens, three black and four white" actually means "I'm sending seven kilos of heroin, Giuseppe will take three and Giovanni four"?
One does not need to rely on proprietary or otherwise closed source solutions and protocols which may have or can in the future carry backdoors to achieve communication privacy. For the past three years, one could simply apt-get install twinkle with ZRTP support from any Debian repository, which has an open and proven model for peer-to-peer media security and a reference implementation of the ZRTP stack that is part of the GNU Project. More recently, there is SIP Communicator, purely Java based and truly multi-platform, which uses the newer ZRTP4J stack. Existing non-B2BUA based SIP servers like opensips or GNU sipwitch can be used to organize and coordinate scalable secure calling networks. All the tools are there to do verifiable communication privacy in freedom today.
even without skype, it's must be possible to have fully encrypted voice (or text or video) communication over the internet that should be completely private and impossible to decrypt in real time. so yet again, this will only affect those too lazy or ignorant to try to evade it (which will probably be most people--even most "criminals").
If the defacto standard was opensource, with provably well implemented encryption, then I wouldn't be safe from the criminal hordes.
I wonder why phone communication is not yet secured the same way like ssh. It probably won't take long before someone creates secure communication application for smartphones like HTC G1.
"Who Poses the Greatest Threat To Your Privacy?" ... without a doubt, Your Government. This probably would not be a problem had Skype instituted peer to peer encryption with either openSSL or GnuPG keys.
Oday ouyay antway otay ayplay away amegay?
Somebody better tell them about all the other evil loopholes that criminals can use to talk over the internet. They'd better also be able to wiretap Yahoo and Windows Messenger voice, oh, and X-Box chat, and we're going to have to change the RTP protocol to send them a copy of all communications, of course. I'm guessing we'll have to hack all ssh clients to unencrypt VoIP traffic if somebody tries to tunnel it, too.
Or, you know, just get on Skype's case because authorities apparently have no idea what they're doing and seem to believe that Skype is the only way to talk over the internet. I'm sure the criminals appreciate the heads up so they can make sure to use more secure methods.
[insert witty quote here]
They want to eavesdrop to stop sex and drug use (according to the article). Clearly governments need to get rid of their bad laws instead of introducing yet more bad government practices. As for terrorism, that can be dealt with more effectively through political channels than through spying on your citizens.
We all know that Skype has sold access to the chinese, germans and the United Bluf.
Skype has never been good, and never will be.
The only real solution is standard VoIP with the addition of Phill Zimmermanns Zfone. This they can not crack.
All this crap we heard about Bush, and as we speak the UK is threatening to sink because of the weight of all its cameras, and now the EU wants to spy on everyone.
This is my sig.
I do worry about my (and everyone's) government.
the governments are ruining our lives, NOT the terrorists OR the criminals!
what an upside down world we live in. I truly don't fear criminals. I truly do fear my own government.
what is a criminal going to do with info he taps from my line? otoh, we can clearly imagine the kind of damage that happens when the governments listen in.
I wonder if we can ever fix this broken world of ours, where we have more to fear from the so-called good guys than the bad guys.
--
"It is now safe to switch off your computer."
If they want you, they will get you.
Via hardware or software a gov can intercept with your calls.
Any info seems more about extending national or wider legal powers.
ie. Skype has been open to law enforcement, they just want to use it in court.
http://wikileaks.org/wiki/Skype_and_the_Bavarian_trojan_in_the_middle
Domestic spying is now "Benign Information Gathering"
What's your proposed alternative?
It's tempting to be sad, or even surprised, but, really, anyone who didn't see this coming should be ashamed of themselves. At the very least, we can all take solace in the fact that the government will probably never figure out that SIP exists, a point especially true when you factor in the fact that a politician owning and using a blackberry is still a big deal.
A smart criminal will know that not only are they interested in what you say, but more often who you say it to. "Aunt Bertha is ill" could mean that I am worried about my aunt, or that the shipment of drugs and guns will be arriving 09:00 in wherever.
A semi-smart criminal will be using e.g. /. to post messages and think there is no relation between the people. However the Man can gather the information to who connects and then with some time and exclusion determine who I would be speaking to.
So what you need is a way of communicating with each other where there is no direct link between sender and receiver. You could wait for Google to enter the message in their seach and use their cache to read it. Bit safer, but still not 100%.
An even smarter criminal would be using something where messages are exchanged between points where you have no control. During WWII (Not the game console) radio was used. Sending from the UK, receiving on the continent and no idea who the message was intended for.
Such a thing exists today and is called Usenet. You can use e.g. alt.test for plain messages. You can also pgp the message and then post it inside a porn image or music file to an appropriate group.
Darn I just provided a link between illegal music and terrorism. Sorry.
Now the real smart criminals won't be effected by this. They do everything by the law and when things do not go well, they get rewarded anyway.
Don't fight for your country, if your country does not fight for you.
They can get more cooperation from skype, to be sure, and when they do criminals will switch to private and distributed encrypted channels. These will be outlawed, and they'll have to use steganography to hide.
Meanwhile physical surveillance will be improved to the point where the unencrypted channel from the mouth to the handset and from the handset to the ear will be the easy target... but the legal residue of the effort to outlaw crypto will leave us in a situation where only the outlaws are safe using it.
The NSA can already crack Skype encryption most likely.
The thing is, it probably either requires human intervention or lots of computing resources (I'd bet they'd be relying on pattern analysis and the like, not any cryptographic break.)
Their current method for regular phone conversations is to use software to convert them from sound to text... this not only cuts down on storage costs dramatically, but allows them to write software to look for keywords or call patterns (For example, if I make a call from Yemen to the UK, then whoever I talked to inb the UK calls seven other people shortly after, that has the hallmark of a compartmentalized organization, like a drug ring or terrorist organization)
But between the P2P nature of skype (no central authority to tap) and it's encryption, massive automated intelligence collection is impossible, and this makes the NSA very sad.
Suspicious phone conversations on Skype could be targeted for tapping
Am I missing something here? How can you know a phone call is "suspicious" if you're not tapping it already? The mind boggles...
According to fairly recent reports pretty much everyone in Europe is doing it. Internet (or at least http traffic) is habitually snooped, phone conversations (usually) only after a court order. Information gathered is usually shared with foreign agencies. According to a former employee of the AIVD "we could decide not to share our intel with the CIA, but then they don't give us the information we want".
Open up a gmail (or whatever) account, tell your friend the login credentials, write a message, do not send it, but save it as a draft, then let him know to log in from wherever he is, and read the draft. NO email sending involved at all. Terrorists, or any other wrongdoers are not stopid enought to use voicecom AND speak plainly about their plans. This is a pointless step again.
s/gol/goal
My blog
As long as they do it under Judicial oversight (e.g. with a court warrant) I don't see what's the problem - just because it goes "over the tubes" and might use computers in one or both sides doesn't mean it's "special", more than just a phone call and entitled to extra protection from the police.
I'm a lot more concerned with large scale wiretapping without court orders than I am about court authorized wiretapping of calls that go over "the tubes".
Is it just me or does that sound rather like coming straight from an Orwellian "Newspeak" nightmare?
Pretty soon now, doing anything that even smacks of caring for your privacy will brand you a criminal. Anything still legal is already branded a "loophole". Right. Do we even need to discuss this further?
Alright....
First of all- as many here have mentioned- proprietary networks are a big no-no when it comes to VOIP security.
second of all- as some here have mentioned, but which needs a bit more emphasis- one of the best ways to make something secure when it comes to ANYTHING computer software related is to make sure hardly anybody knows anything about it! That being said, there are a lot more knowledgeable criminals out there, now that the EU has made a big stink of it.
Thanks EU for spilling the beans!
I should think any sort of video calling makes monitoring much much more difficult. With voice calls, you can fairly easily hook up some text-to-speech and mine some medium-term recordings for potentially nasty combinations of words. True that'd only catch the careless but I believe it is done.
With video calling you can't do that. If two terrorists were using Skype they could pass messages by writing messages on cards and holding them up to the camera - there'd be no way of transcribing or flagging that automatically.
The technology is growing and diversifying so fast that the whole concept of SIGINT is looking increasingly unrealistic.
You thought you could break the laws of physics without paying the PRICE?
...I just wish they had better advisors. There's simply no way to prevent a determined group from communicating in secret. Certainly this proposed legislation isn't going to help one bit. Perhaps they'll catch the dumbest of the groups, but then, they're probably the least dangerous anyway.I'm not suggesting they give up, but perhaps a radical change in tactics is in order.
How so many people can argue that the 4th amendment implies a right to privacy in everything, argue that Commerce clause gives the government the right to regulate CO2, but, that little phrase "the right to keep and bear arms shall not be infringed", somehow does not imply an individual right to keep and bear arms. My point is that everyone twists around the Constitution to mean what they want these days, and if you wanted to make a case for a civil right, you should do so not because it says that it is the law, but on the basis of some other reason.
This is my sig.
My guess is that most national security agencies have already broken Skype. Those national spy agencies probably have not shared that information with their local police. In fact, the spy agencies probably love it when the local police go around complaining that they can't tap Skype calls because it lulls the people they want to listen to into a false sense of security that Skype is safe. This story will probably go on for a long time. The spy agencies are going to make sure that no law gets passed that requires Skype to open up. There will always be a local police agency that isn't bright enough to figure out what is going on, so they will keep it in the news.
What the heck does the Second Amendment have to do with anything?
The fact that the Fourth Amendment applies to wiretapping, among other things, is well established by the Supreme Court. Which are the people who's JOB it is to interpret the constitution. If you have a problem with that, take it up with them.
as in, full of hysteria
your government, as a citizen of a western democracy, is an extension of your will
it is not some alien entity come to suck you of your freedom just for the fun of it
i now await my lecture about how western governments are driven by the media, or the rich, or corporations
blah blah blah
such rationalizations are called learned helplessness, in which you indoctrinate yourself into your own slavehood
your government is clearly an extension of the popular will. if you don't believe that, you ARE a slave, made of your own broken thinking. the chains on your mind are made by yourself
don't like an aspect of your governments policies? agitate for change. if your message finds resonance amongst much of your fellow citizens, congratulations: you represent the best of democracy
or whine by yourself about how helpless you are. your own, self-created helplessness
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
RTFL, it goes over increasing paranoia from Italian police forces against Skype that is already for some time noticeable on italian media.
Now they are lobbying in Europe about it, to make it a 'common problem' and get to an easier solution to defeat their own technical and political shortcomings maybe.
This happens in a time while the government of Italy itself fights for months to regulate magistrates' work and prevent the proven extreme abuse of wiretapping that is done today in that country, where "almost everyone is wiretapped" or at least almost anyone can easily know who you called/who called you at any time.
If true criminals or terrorists want a new secure way to communicate: they'll find it anyway, unless they're absolute idiots.
At the same time too much wiretapping information collected (i.e. wiretapping anyone, how they do now) is very hard to use effectively, because information is far too much to handle. Also in this case the mob wins.
This idiotic campaign against Skype has only the silly effect to have all criminals fly away from Skype and talk in some other way, while zillions of grandma and nephew calls are going to soon be tapped, with huge and useless waste of resources.
Or I won't be surprised hearing some government urge ISPs to block Skype soon, once again; the stupid egg solution.
Fighting the mob is priority. Once again these people do it the wrong way, suspecting everyone, attacking innovation what they don't understand. Why am I not surprised :(
I've often wondered why we can't have generic laws. Laws that cover a type of action rather than a very particular case of a type of action. For example we have enacted wire tapping laws so that we can listen to phone conversations why didn't we enact an eavesdropping law instead so that the required authorities could apply for permission to listen into the communications of an individual regardless of how those communications where taking place. As far as I can see this doesn't erode privacy any more than it has already been eroded and it means that we don't need all the half brained politicians making up reams and reams of new legislation (which invariably is an excuse for mission creep).
I used to have a better sig but it broke.
lol, police still think they can spy on the conversations of criminals?
They'll only get the stupid ones, which aren't the ones that you need a wiretap to find.
...and that is all I have to say about that.
http://jessta.id.au
...that the crypto on Skype sucks, that trying to monitor internet traffic like this is stupid, etc. please consider these facts:
- Criminals exist because the police aren't smart enough to catch them
- Most criminals get caught because they aren't always smart enough to outwit the police
- Most citizens don't become criminals because they either are smarter than the criminal element, or dumber than the police and know they'll get caught
- Most citizens get tickets for various stuff all the time and (sadly, rightly so, although it won't get them out of the charge) claim ignorance, proving the way of things:
- Smart people
- Criminals / Average intelligence people
- Police
- Dumb people
So, that means most laws don't even consider smart people because there's no point. They do consider dumb people, because while you can do certain things all the time to them (parking tickets, speeding tickets, etc) there are limits (jailtime for those things, etc). And they do consider criminals, because that's who they are targeted at, and they know that while the criminals are smarter than the police, they aren't generally smart enough to use particularly sophisticated techniques.
This means serious laws, like drug trafficking and murder try to ignore the burned-out bulbs and instead focus on the dimly lit ones, and the never consider the techniques of the truly bright because they're just not on the radar.
And the less serious laws, like personal drug possession and traffic laws tend to focus on the most dimwitted, because they generally exist for revenue, not safety.
Think about that next time you complain about a law to lawmakers. You need to focus on how it is hitting the least intelligent of society, and not how it is affecting your ability to tunnel SRTP over SSH via CIPE through OpenVPN with IPSec using Tor.
It's worse than that, they're hostile countries looking to harm our children
Well, they are. When the head of Iran says that he's going to get the bomb and the USA is as the Great Satan, do you suppose he's just joking around?
Satan tends to have different meanings in different cultures.
AFAIK, Satan is viewed as more as a Temptor in Islamic culture, versus the Evil One in Christian / Western culture.
So when the Iranians say that the USA is Satan, they mean it to be that the values and actions of the country will lead people astray from the proper and righteous (another misunderstood word) path.
(Please correct me if this interpretation is incorrect in any way.)
It should also be noted that Iraq did not have the bomb and was invaded, while North Korea does and they were not. Having The Bomb is good way to ensure your sovereignty.
Where is that Linux port for pgpfone?
We should all use that product and be happy because there's no backdoor in that one yet?
This is a point that is very clear and not missed. The goal is not to put all the Chinese dissidents together on the same sipwitch server so they can all be easily found :). In fact, the goal is for sipwitch itself to eventually exchange sip users (callable uri's) peer-to-peer in a gnutella-like fashion, so that one can locate the person you want to call by querying a large public network cloud where ALL secure users can participate and are mixed together whoever they are or whatever they are doing, and NOT collected together through common servers or service providers.
It's not about catching anyone. It's about "doing something", so they can't be criticized for "doing nothing".
"If anything can go wrong, it will." - Murphy
Your anonymous prank calls won't be so anonymous anymore...
icmp chat ( http://www.codito.de/ , http://www.codito.de/prog/icmpchat-0.7.tar.gz ) support encryption and pads data to appear like completely normal ICMP traffic. It also supports all ICMP types, not just echo request/reply, so getting creative is trivial.
Of course, port forwarding/proxy'ing anything/everything through ssh or openvpn is also trivial. Good luck eavesdropping on that.
If anyone is caught doing anything "bad" with Skype, they're just ignorant, lazy, or both.
All in favour of their new strategy of luring hardened criminals to the local golf course for a few rounds ? Oh perhaps a ski weekend in Morzine ? That would be "doing something" too, but I think they'd have a bit more opposition to those plans (even if they might be more effective)
To take-off and to land safely, yes, I would agree. Lots of training, with partial failures, cross winds, buffeting, ....
To crash it ? well, anyone can do that.
To crash it specifically on the biggest, most visible building in the city ?
Like you must know how to increase power and actually aim ?
Any Western Countries thirteen year old nowadays must know how to do it...
2 hours in an old-style arcade would teach you those skills. And for under 3000$ you can build a full Flight Simulator(TM) that is enough to learn such skills...
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
Seriously, I don't see any crime mentioned here whatsoever.
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
You can use Gizmo to set up a SIP number, which is free to use with other SIP numbers. Then use Google's GrandCentral to connect a POTS number to your Gizmo SIP number. Now you've got free incoming POTS calls. For right now, GrandCentral also lets you do free outgoing calls through it's web interface (there are also other front-end clients that automate this for you). That part is free during their Beta period, but you know how long Google's betas go on.
So, we can assume, that if any intelligence organization today breaks eg. skype encryption, they might go to great lengths in publicizing the service as secure ?
Say, by making it appear that national and international police is unable to tap it efficiently, and starting a long-winded bureaucratic process "allowing" police access ?
With my knowledge of secure communications I could easily get a job as a top terror operative!
I've heard it's a growth industry
It is very possible to tap VoIP traffic using a packet analysis tool. Most ISP's will allow law enforcement to monitor IP traffic.
I wonder though, does this also apply to VoIP providers like Vonage and MagicJack?
Yeah, Iran is bad and U.S.A is good
That is right. Iran is bad, and the USA is good. The USA has a greater degree of economic and political freedom, and Iran does not. The USA put its people on the nuclear firing line to get freedom for eastern europe, and its sons at normandy before that for western europe, and stopped the japanese from a genocidal war against china.
The USA has cured numerous diseases, opens it doors to educate the world at its universities, tolerates political dissent that would draw death sentences and crackdowns in Iran.
What has Iran done? Nothing.
Seriously, if you think the USA is the same as Iran, go ahead and stand in downtown Washington DC and announce you are a Jew that hates the President. Heck, plenty of people did that over the last year. Now, repeat that same experiment in Iran, and let me know how it goes.
The same? Hardly.
This is my sig.
Obviously it can be broken by planting malware in the target's computer, but what are the other ways? Last we heard, independent reviews of the crypto protocols said they were pretty good.
But I am quite sure there are exploitable weaknesses in the login server and protocol. Skype operates that server, so we can assume that it either is or soon will be compromised.
Consider the following simple observations. I can install Skype on another computer, sign in with my existing user name and password, and talk to any of my existing contacts without any of them noticing anything unusual. I transferred nothing from my old installation, so my new installation cannot have any of its existing secrets. It knows only one long term secret: my account password, and I use that only to authenticate myself to the Skype login server.
Furthermore, unlike most IM programs, I can sign in from multiple computers and switch between them during chat sessions. All will get copies of all that is said.
This seems to demonstrate quite clearly that with the cooperation of the operator of the Skype login server, you can impersonate any Skype user and conduct either a man-in-the-middle attack or a conferencing attack.
The weakness here is that you're relying on the login server to authenticate your correspondents instead of doing it yourself on an end-to-end basis. Without authentication, encryption is meaningless.
You could probably add packet-level authentication mechanisms to Skype traffic to protect against this attack, but if you're going that far you might as well use something completely different that you can fully trust.
The "free" countries are starting more and more to look like oppressive countries as the effective exercise of freedom becomes more and more.
Before, they could tap your phone and search your mail. We all believed we were free because there were "protections" in place.
"Law Enforcement" is a crock of &^%. It is spying, it is tracking what free people do with their freedom so as to not allow that which challenges government or industry. Maybe, just maybe, we'll catch a criminal, who knows.
Seriously, what is "crime" anyway. If a person smokes pot, why is that a crime? If a person wants to take cocaine in the privacy of their own how, why do our tax dollars have anything to do with that.
Look at prostitution, the only reason why it is a crime is because someone made a law. If two consenting adults engage in sex for money, why am I or anyone else even involved? Hell, why don't we just tax it?
Nope, "Law Enforcement" is a red herring. It is about the control over society that the powerful want. The Internet is shifting too much power to the individual. Time was we had the illusion of freedom and no real way to exercise it. Now with the internet, we really can communicate privately and we really can say things anonymously, that has formerly democratic states worried because preaching a free society is easier than actually having one.
Here is my anti-corporate "free speech" site:
http://www.planetsubarusucks.com/
what if one uses a dedicated VoIP network with strong encryption and white noise generator when idle so you may not know when in use or not?
How could interception works if no key where exchanged on the wire?
How could law be written to take care of this while keeping some reserve for legitimate uses?
At least there's a pretense of procedure. It's when they don't bother with warrants and such that you know they no longer fear their constituency.
the popular will is the popular will is the popular will
what other opinion exists that is somehow more valid than that?
what point of view can stand in judgment of the popular will and call it wanting or lacking?
you say how can i celebrate mob rule. i ask you what else there is that is of any superior validity? according to who?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
No need to click all the right buttons in the right order, no pre-flight check.
Landing? It's when if something goes wrong it goes badly wrong, but all you need to do is watch the rate of descent. If you run out of runway, you may break, but that is at the end of the run down the runway where you've lost speed every foot.
Not at the end where you're *nearly* going fast enough to get lift over the trees...
This sudden publicity about Skype, which already apparently allows "lawful intercept", makes me wonder:
What if the security agencies and/or law enforcement just developed an effective tool to break and eavesdrop on Skype conversations? Its existence would eventually leak. So there's a window of opportunity - between the time the easy crack becomes available and the time it becomes known.
During that time a flurry of publicity about "how hard it is to tap Skype calls", "the terrorists may be avoiding the security agencies", yadda yadda, might encourage crooks, terrorists, and other undesirables to move to the compromised service and expose themselves.
If the legal situation makes it hard (or impossible) to use in court, a change to the law to permit and admit Skype taps would be desired by investigators. But a push for the law change would make more sense if there is some recently developed technological underpinning for tapping Skype than if it is an attempt to force Skype to knuckle under. (Meanwhile, illegal taps are still useful: They can be "laundered" into "anonymous tips" by the tapper calling the investigator at the next desk ...)
So I wonder if Skype's security just got broken.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Whenever I hear police complaining about how they're being stifled by X technology, it always makes me wonder if perhaps they really have no problem at all, and are just trying to drive criminals to use it so that they will be easier to catch. Your average police agency might not bother with such a tactic, but when you hear big national agencies talk about how they're having trouble with terrorists/drug smugglers/mobsters/etc using a particular system, it makes you wonder...
I briefly investigated secure telephone communication options for citizens after our Canadian government followed the US down the path of personal privacy invasion by passing soft wiretapping laws.
My opinion on the best solution for secure telephone communication is Zfone from Phil Zimmermann and company. Seen here: http://en.wikipedia.org/wiki/ZRTP
I do believe that the massive wiretapping issue in our countries is one of the greatest threats to our future freedom and democracy.
Now that we have given away these freedoms... never expect to get them back. It is too much power for any governing body to give away. As you can see now... the new US president is moving away from earlier promises made in this regard.
And we should not wait for someone to come into office that chooses to abuse this power.
The only solution to stop having your rights infringed upon, is to take matters into your own hands. Please... encrypt your voice communication. And use open source for your own protection and peace of mind.