Slashdot Mirror

← Back to Stories (view on slashdot.org)

European Crackdown On Skype "Loophole"

Posted by timothy on from the only-the-suspicious-ones-of-course dept.

angry tapir writes "Suspicious phone conversations on Skype could be targeted for tapping as part of a pan-European crackdown on what law authorities believe is a massive technical loophole in current wiretapping laws, allowing criminals to communicate without fear of being overheard by the police. Eurojust, a European Union agency responsible for coordinating judicial investigations across different jurisdictions, has announced the opening of an investigation involving all 27 countries of the European Union."

24 of 230 comments (clear)

  1. "Allowing Criminals" by Spazztastic · · Score: 4, Insightful

    Or allowing law abiding citizens to speak with their relatives in hostile countries without worry of big brother listening.

    --
    Posts not to be taken literally. Almost everything is sarcasm.
    1. Re:"Allowing Criminals" by TheRaven64 · · Score: 5, Insightful

      And what sensible criminal would use Skype anyway? If you care about potential eavesdroppers, you don't use proprietary encryption, and especially not proprietary encryption over a proprietary protocol that has been shown to be insecure (see the Black Hat paper).

      If you want security, run SIP over SRTP, with clients that have undergone third-party security audits.

      --
      I am TheRaven on Soylent News
    2. Re:"Allowing Criminals" by fastest+fascist · · Score: 2, Insightful

      Yes yes, but obviously governments will rarely, if ever, welcome technology that increases the power of the citizen. They are there to *govern*. In other words, no government will much give a damn if a hostile country listens in on calls made into their territory if preventing that means any decrease in their own ability to conduct surveillance. They were fine with it before Skype, why would they care now?

    3. Re:"Allowing Criminals" by Anonymous Coward · · Score: 5, Insightful

      All of them. If I have multiple older male siblings, I can address them all as "Big brother." The existence of one does not preclude the existence of others.

    4. Re:"Allowing Criminals" by linhux · · Score: 2, Insightful

      You mean the paper that explicitly concluded that "Skype was made by clever people" and "Good use of cryptography"?

      Yes, it has weaknesses, but unless you get your victim to run a trojanized Skype (at which point they'd be screwed either way), it still seems reasonably secure. Oh, and of course you trust Skype Inc anyway, if you're running their binary.

      That said, Skype is inherently scary, and I'd naturally advocate an open source, peer-reviewed system. I just get the feeling that many people misinterpreted that paper.

    5. Re:"Allowing Criminals" by morgan_greywolf · · Score: 4, Insightful

      You're kidding right? IF terrorists can learn to fly a jumbo jet, which, mind you, is a very complex beast that requires a lot of training, simulator, and real-world flying time to be able to fly one, or if they can become munitions experts, what's to stop terrorists from becoming IT experts?

      Nothing. Nothing at all. Terrorists can take the same classes you took, take the same training you took, and learn as much about IT as you did.

      Anyone determined enough to kill a bunch of people in order to achieve notoriety for their cause can learn just about anything if they think it will help them achieve their gol.

      --
      My blog
    6. Re:"Allowing Criminals" by tjstork · · Score: 3, Insightful

      It's worse than that, they're hostile countries looking to harm our children

      Well, they are. When the head of Iran says that he's going to get the bomb and the USA is as the Great Satan, do you suppose he's just joking around?

      --
      This is my sig.
    7. Re:"Allowing Criminals" by morgan_greywolf · · Score: 2, Insightful

      Um, at least two of those planes (probably all of them) were steered hundreds of miles off course by the terrorists.

      --
      My blog
    8. Re:"Allowing Criminals" by morgan_greywolf · · Score: 2, Insightful

      Mafia bosses have money and can hire whatever talent he wants. Heck, he could even offshore it. It's not like these Indian offshoring companies are asking who their customers are how their work is going to be used. They're whores. They'll do anything for cash.

      --
      My blog
  2. Too many loopholes by mangu · · Score: 4, Insightful

    Suppose they have a way to intercept Skype calls and decrypt everything. How will they know a conversation like "Aunt Emma's cat had seven kittens, three black and four white" actually means "I'm sending seven kilos of heroin, Giuseppe will take three and Giovanni four"?

    1. Re:Too many loopholes by Anonymous Coward · · Score: 3, Insightful

      That's an issue which applies to any form of intercepted communication not just skype

    2. Re:Too many loopholes by JasterBobaMereel · · Score: 4, Insightful

      Arbitary codes like this and One time pads have been proven (when done correctly) to be absolutely secure, whereas all encryption in theory is insecure (the only exception is quantum encryption)

      Skype is a well known protocol, with a know encryption system, and is not secure ....

      --
      Puteulanus fenestra mortis
    3. Re:Too many loopholes by Asic+Eng · · Score: 5, Insightful
      As much as I'm a privacy advocate ... Fact is most criminals are not particularly clever - often they make mind-numbimgly stupid mistakes. One of the tasks which the police has to solve, is to process the stupid criminals quickly, so that they have resources left for the more intelligent ones. Besides, in theory you can avoid any one mistake, but in practice it's impossible to avoid all of them.

      So suppose the police intercept the conversation example you used. What does it tell them? Well - first they are going to find out that neither of the people involved actually has an aunt emma, or indeed any aunt who owns cats. Alternatively they might be aware that the people involved don't exchange a lot of private information, hence are not close enough to care about the cat of some relative. So they know it's a code and from that they know that something is going to happen. The recipient is a suspected drug dealer, the sender a suspected supplier, so they guess that it's about a drug deal. Possible action: keep a close watch on the recipient of the message - he may receive the drugs soon, or he may establish contact with the persons receiving the drugs.

      Even if they can't guess the first thing about the content of the message - intercepting it can still yield information. E.g. it could tell them that the recipient is online now - using the IP address they could identify his location - or they could obtain a voice sample which could be used for identification. They could use the time someone calls to identify their daily routine - if suddenly a call is made at an unusual time (e.g. 2 am for someone who usually sleeps early) then they can guess that something interesting is going on.

      Taken to the extreme opposite - if intercepting communications between criminals would never yield results, then wire tapping in all forms would have to be stopped. We could determine whether that's the case by analyzing criminal cases - is wire tapping evidence never introduced, is wire-tapping information never used to guide investigations? If that's not the case, then we shouldn't expect a zero return for skype-interception either.

  3. Only Skype? by tedrlord · · Score: 3, Insightful

    Somebody better tell them about all the other evil loopholes that criminals can use to talk over the internet. They'd better also be able to wiretap Yahoo and Windows Messenger voice, oh, and X-Box chat, and we're going to have to change the RTP protocol to send them a copy of all communications, of course. I'm guessing we'll have to hack all ssh clients to unencrypt VoIP traffic if somebody tries to tunnel it, too.

    Or, you know, just get on Skype's case because authorities apparently have no idea what they're doing and seem to believe that Skype is the only way to talk over the internet. I'm sure the criminals appreciate the heads up so they can make sure to use more secure methods.

    --
    [insert witty quote here]
  4. I don't WORRY about so-called criminals by TheGratefulNet · · Score: 4, Insightful

    I do worry about my (and everyone's) government.

    the governments are ruining our lives, NOT the terrorists OR the criminals!

    what an upside down world we live in. I truly don't fear criminals. I truly do fear my own government.

    what is a criminal going to do with info he taps from my line? otoh, we can clearly imagine the kind of damage that happens when the governments listen in.

    I wonder if we can ever fix this broken world of ours, where we have more to fear from the so-called good guys than the bad guys.

    --

    --
    "It is now safe to switch off your computer."
    1. Re:I don't WORRY about so-called criminals by freedom_india · · Score: 2, Insightful

      Yup.
      Since when do people who use undocumented features became criminals?
      And what right do the governments have in labeling such people criminals?
      Have they been proven guilty in a court of law?
      If not, then it means if the government indulges in unauthorised snooping it is OK by law?
      Why can't be governments be held under the same law that they pass for citizens?
      For instance in US, it is a criminal offense to eavesdrop on a telephone line without a court order.
      If i do it, i have committed a criminal offense.
      But if the NSA does it, its legal???
      When nixon said that if the president does it, it must be legal, he was right.
      If i "forget" to pay my income tax on the deadline, i get a mandatory fine AND penal interest at 3% per month.
      However, the government has no such refund deadlines. If it "forgets" to refund my income tax excess, it gets away with a simple apology and a interest rate of 1% per year!
      Why can't the government be criminalized if it fails to refund me excess income taxes? Because it would bankrupt the government?
      Since when did the Government become an entity separate from the people?
      The French are right: we need another Republic.
      The Government IS the problem: anywhere.

      --
      "Doing what i can, with what i have." ~ Burt Gummer
  5. Re:I'm glad we standardized on Skype by jimicus · · Score: 4, Insightful

    If the defacto standard was opensource, with provably well implemented encryption, then I wouldn't be safe from the criminal hordes.

    It could have been. If an opensource project created a product which worked as well as skype I'm sure it could easily have been as popular.

    The problem with a plain SIP client is you suddenly find you need a SIP account with a provider - there aren't many truly international SIP providers and they don't all have agreements to allow SIP calls to be carried for free, which adds a lot of complication. And every layer of complication you add to a product will put a lot of people off.

  6. Re:Secure phone by TheTurtlesMoves · · Score: 2, Insightful

    I just use write over ssh. But if they have a warrant they could put key logger on my keyboard or put bugs in the house. Once there are warrants, all bets are off.

    --
    The Grey Goo disaster happened 3 billion years ago. This rock is covered in self replicating machines!
  7. Smart criminals will not be affected by houghi · · Score: 2, Insightful

    A smart criminal will know that not only are they interested in what you say, but more often who you say it to. "Aunt Bertha is ill" could mean that I am worried about my aunt, or that the shipment of drugs and guns will be arriving 09:00 in wherever.

    A semi-smart criminal will be using e.g. /. to post messages and think there is no relation between the people. However the Man can gather the information to who connects and then with some time and exclusion determine who I would be speaking to.

    So what you need is a way of communicating with each other where there is no direct link between sender and receiver. You could wait for Google to enter the message in their seach and use their cache to read it. Bit safer, but still not 100%.

    An even smarter criminal would be using something where messages are exchanged between points where you have no control. During WWII (Not the game console) radio was used. Sending from the UK, receiving on the continent and no idea who the message was intended for.

    Such a thing exists today and is called Usenet. You can use e.g. alt.test for plain messages. You can also pgp the message and then post it inside a porn image or music file to an appropriate group.

    Darn I just provided a link between illegal music and terrorism. Sorry.

    Now the real smart criminals won't be effected by this. They do everything by the law and when things do not go well, they get rewarded anyway.

    --
    Don't fight for your country, if your country does not fight for you.
  8. ...suspicious phone conversations?!? by ReeceTarbert · · Score: 2, Insightful

    Suspicious phone conversations on Skype could be targeted for tapping
    Am I missing something here? How can you know a phone call is "suspicious" if you're not tapping it already? The mind boggles...

  9. I suppose law enforcement has to do something... by OneSmartFellow · · Score: 2, Insightful

    ...I just wish they had better advisors. There's simply no way to prevent a determined group from communicating in secret. Certainly this proposed legislation isn't going to help one bit. Perhaps they'll catch the dumbest of the groups, but then, they're probably the least dangerous anyway.I'm not suggesting they give up, but perhaps a radical change in tactics is in order.

  10. Who says they can't already tap it? by ouder · · Score: 2, Insightful

    My guess is that most national security agencies have already broken Skype. Those national spy agencies probably have not shared that information with their local police. In fact, the spy agencies probably love it when the local police go around complaining that they can't tap Skype calls because it lulls the people they want to listen to into a false sense of security that Skype is safe. This story will probably go on for a long time. The spy agencies are going to make sure that no law gets passed that requires Skype to open up. There will always be a local police agency that isn't bright enough to figure out what is going on, so they will keep it in the news.

  11. Generic Laws by squoozer · · Score: 2, Insightful

    I've often wondered why we can't have generic laws. Laws that cover a type of action rather than a very particular case of a type of action. For example we have enacted wire tapping laws so that we can listen to phone conversations why didn't we enact an eavesdropping law instead so that the required authorities could apply for permission to listen into the communications of an individual regardless of how those communications where taking place. As far as I can see this doesn't erode privacy any more than it has already been eroded and it means that we don't need all the half brained politicians making up reams and reams of new legislation (which invariably is an excuse for mission creep).

    --
    I used to have a better sig but it broke.
  12. So what *is* the state of Skype security? by Phil+Karn · · Score: 2, Insightful
    So this asks the obvious question: is Skype still secure?

    Obviously it can be broken by planting malware in the target's computer, but what are the other ways? Last we heard, independent reviews of the crypto protocols said they were pretty good.

    But I am quite sure there are exploitable weaknesses in the login server and protocol. Skype operates that server, so we can assume that it either is or soon will be compromised.

    Consider the following simple observations. I can install Skype on another computer, sign in with my existing user name and password, and talk to any of my existing contacts without any of them noticing anything unusual. I transferred nothing from my old installation, so my new installation cannot have any of its existing secrets. It knows only one long term secret: my account password, and I use that only to authenticate myself to the Skype login server.

    Furthermore, unlike most IM programs, I can sign in from multiple computers and switch between them during chat sessions. All will get copies of all that is said.

    This seems to demonstrate quite clearly that with the cooperation of the operator of the Skype login server, you can impersonate any Skype user and conduct either a man-in-the-middle attack or a conferencing attack.

    The weakness here is that you're relying on the login server to authenticate your correspondents instead of doing it yourself on an end-to-end basis. Without authentication, encryption is meaningless.

    You could probably add packet-level authentication mechanisms to Skype traffic to protect against this attack, but if you're going that far you might as well use something completely different that you can fully trust.