Slashdot Mirror
Microsoft Won't Say If Skype Is Secure Or Not. Time To Change?
jetcityorange writes "When asked repeatedly a Microsoft spokesperson refused to confirm or deny that Skype conversations [could be monitored]. Microsoft was granted a patent a month after purchasing Skype that covers 'legal intercept' technology designed to be used with VOIP services. Is it time to consider more secure alternatives like Jitsi like Tor's Jacob Appelbaum suggests?"
The more shocking idea is the assumption that any major VOIP service based in a major country does not allow intercepting on their services.
If you are serious about privacy Skype was never even an option! ;)
Earn Cash and Prizes, and get free stuff!
If there is a third party running the server in the middle, there can be no trust. Run your own server if you need security. There are lots...
Anything transmitted online - whether it be VOIP or cleartext or whatever - can be tapped
Even when you tunnel your channel, even when you employed all the evading/security technologies that you can think of, if TPTB wants to know what you do, they could find ways to _CAN_ tap you
But of course, we _are_ talking about Microsoft in this case, which makes it even more poignant to understand how frail our security situation really is, online
Muchas Gracias, Señor Edward Snowden !
It's been assumed for a long time that Skype is insecure, as one would expect from a prominent closed-source solution like that. The thing that's new (to me, I hadn't heard it) is that Microsoft purchased Skype. I have no particular fondness for Microsoft but they're more upstanding than Ebay, which gave up a lot of customer information after 9/11 without warrants and denounced other companies for not doing the same.
We've used OTR when we want to IM about something sensitive - is there any sort of similar plugin for Skype? It appears there's a text chat OTR plugin... but a video version would be more useful for most people.
#DeleteChrome
I just tried Jitsi while /. was in maintenance mode. It does not work on this very standard Win7 box. Incoming audio is missing; logs are missing. Uninstalled already - not usable. Bria works fine. My VoIP server (3CX) is on the local subnet.
But even beyond that, Jitsi is not a solution; it's a component. The only way to make it into a solution is by selling your soul for cheap to the likes of Google and Facebook. That would be counter-intuitive for a product that sells itself as a secure thing.
The only reasonably secure way is to run Jitsi on your own SIP server. However that is not an exercise for everyone. A geek can deploy a SIP server, but a common man cannot even understand what we are talking about here.
I'd say that 3CX people already have a solution. First, they have a TCP tunnel that you can use to go through firewalls and specifically NAT. Then they support encryption. And finally, their stuff works. (This is important, despite what some geeks say.) They also have a client for Android (besides the usual suspects.)
However in terms of simplicity Skype leads the pack.
. . . with my Family are of interest to any government. Come on, Skype is for keeping in touch with the old folks at home. For anything serious you would use something more peer to peer without any 3rd party involved. And even then . . .
Cheers, Nostrada
Here we go: Microsoft is a major multinational corporation, with a substantial base, substantial assets, most of their higher-ups, and a fat load of juicy contracts within the jurisdiction of the United States(and a number of other countries that have less clout; but are no more savory)...
Now, according to the feds"CALEA Compliance for Packet Equipment, And Equipment for Facilities-Based Broadband Internet Access Providers and Providers of Interconnected VoIP
All facilities-based broadband Internet access providers and providers of interconnected[with the POTS legacy telephone system] VoIP service have until May 14, 2007 to come into compliance with CALEA."
So, how lucky do you feel? Skype in and Skype out are definitely 'interconnected VoIP service', but it isn't entirely clear whether PC-PC skype connections would be treated as part of that 'interconnected VoIP service' or whether, because they aren't directly interconnected, they are treated separately. Do you fancy hoping that Microsoft feels like belaboring that decision in court to no obvious benefit for themselves?
I have a helmet that'll deal with the wrench.
It makes sense if you need to interact with the POTS network. But if you're calling someone else who's also using the internet, it shouldn't require anything more than software running on the two end machines, with strong end to end encryption. There shouldn't NEED to be anybody in the middle skimming off dollars and possibly intercepting traffic.
This never made sense to me. People seem really keen on letting third parties control their internet activity. It's the same with chat, and with a bunch of other things. The main strength of the internet could have been letting anyone in the world communicate with anyone else without having to ask permission or open their communication to prying eyes. Instead, everyone went the other way. It's tragic, and may become much more tragic in the future.
Here's my question - I'm hoping some knowledgeable slashdotter with some IP nouse can clear up my confusion. Are there any technical, or any legal reasons, why a 3rd party app cannot simply wrap Skype, at least for voice calls (leave video aside for now). Lots of 3rd party apps present as printers to the OS, and when you print to that virtual printer, they create an eps file or a PDF file or whatever.... Why is it hard for a 3rd party app, similarly, to present as a headset (mic + speakers) to the OS, allowing the user to run Skype as well as the 3rd part VOIP app, and select that headset in the Skype audio options. You could then run your 3rd party VOIP solution, and have Skype set up to start in the background. calls in either direction to others on Skype could be handled transparently in the 3rd party VOIP app, and that would give users the chance to gradually get their network of friends and family swapped over to open, standards compliant VOIP solutions, without having to give up on contact with those running Skype (face it, that's everyone), or switch between 2 apps for calls (I understand the API already exposes things like accept call...) If this is a viable way to overcome the powerful networking externailities that Skype now has working in its favour as a barrier to new entrants, has it not been done because of a)legal b)technical c)marketing or d)other issues?
ceci n'est pas un sig
Microsoft Won't Say If Skype Is Secure Or Not. Time To Change?
Can all the alternatives solemnly promise me that they're secure too? And to jump to the end of the ensuing discussion, where do I gain the expertise to be a subject matter expert (in several areas) and length of time in which to review all relevant code?
Shai Schticks:"You don't make peace with friends, you make peace with enemies"
Into what?
“He’s not deformed, he’s just drunk!”
If you are getting concerned _now_, then you have been asleep at the wheel.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Encryption is not illegal in the U.S.
Why doesn't someone create an open source encryption solution which encrypts the conversation with a public key prior to routing it over Skype then decrypts on the other end with the private key. I know encrypted land line phones exist i've seen and used one, any intercept or wire tap just gets something similar modem sounds. Their major disadvantage is the encryption key has to be set in advance of the call usually by sneaker net. When someone listens in, warrant or not all they get is nonsense. A truecrypt for VOIP.
If its not possible than we may see the return of the land line for secure conversations.
When I heard Microsoft had purchased Skype, my first thought was "Skype is dead". It only remained to find out in what way it met it's demise.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I just tried Jitsi while /. was in maintenance mode. It does not work on this very standard Win7 box. Incoming audio is missing; logs are missing. Uninstalled already - not usable. Bria works fine. My VoIP server (3CX) is on the local subnet.
But even beyond that, Jitsi is not a solution; it's a component. The only way to make it into a solution is by selling your soul for cheap to the likes of Google and Facebook. That would be counter-intuitive for a product that sells itself as a secure thing.
The only reasonably secure way is to run Jitsi on your own SIP server. However that is not an exercise for everyone. A geek can deploy a SIP server, but a common man cannot even understand what we are talking about here.
I'd say that 3CX people already have a solution. First, they have a TCP tunnel that you can use to go through firewalls and specifically NAT. Then they support encryption. And finally, their stuff works. (This is important, despite what some geeks say.) They also have a client for Android (besides the usual suspects.)
However in terms of simplicity Skype leads the pack.
I have been using Oovoo for a number of years now. It has a better interface than Skype, and you have a number of security options.
I think we are missing the point.
The question should not be "Is it secure?".
The question should be "Why isn't it secure?"
There was a time when only a judge could order a wiretap.
The privacy of my snail mail is protected by federal law.
When did that all get scrapped?
Why can I not expect the same privacy simply because of a different medium.
The big companies are trying to have their cake and eat it.
When it comes to things that benefit them, they are happy to move with the times.
When it comes to "copyright" and "intellectual property", then they want us to stick with the old rules.
New rules for everything, or old rules for everything.
Microsoft, you choose!
The internet is a public forum, and it is absurd to think that anything you say in public will not be heard.
Time is what keeps everything from happening all at once.
Then check out his latest venture
https://silentcircle.com/
If you thought you could trust it (why? duh.) in the past, I don't know how anyone would use it for anything sensetive
after the german government did their dont-throw-us-in-the-internet-briar-patch move and announced frustration with cracking
skype encryption. If true they would never have admitted it.
They patented VOIP wiretaps so no one else could do it. You can sleep soundly tonight knowing that if anyone* even tries to wiretap your calls, they'll slap them so hard with a patent infringement suit their grandkids will still be indebted to Microsoft.
*The term "anyone" does not include government agencies, Microsoft business partners, affiliates or Microsoft itself.
Perhaps it's not the intention of the Slashdot editor who titled this story, but you know the saying where if a news title is phrased as a question the answer is always "No"? Well this is the case here as well.
You should always have been aware that Skype might be monitoring your calls, since you don't control the network. Nothing has changed ever since Microsoft took over, so what makes it the case that NOW it's time to change? Besides, change to what? There's nothing else out there which is accessible to most locations around the world with the ease of use and easy of configuration which is comparable to Skype (along with video support). What, Google Voice? How is that better for secure communications? Ekiga? No-one uses it because it doesn't fucking work properly.
Wasn't the FSF supposed to be working on some sort of free Skype alternative? Yeah, go them. In the end you need to bring people across from Skype in addition to finding alternative software, and if those apps aren't even available for your Phone for example, then you'll be hard pressed to get anyone to convert.
Most people on Slashdot are fucking idiots.
The method of claim 1, wherein receiving data regarding establishing a communication session between two entities comprises receiving the data at a recording agent logically disposed between a requesting entity of the at least two entities and a call server that is involved in establishing the communication session.
I think the problem might be right here.. Since the communication between two devices must use a method to request and grant the request generally it is from point A to point B .... But since it is using a third party server, THAT server grants the request, not the individual.... Meaning THAT server has the rights to all data that is being streamed during the session
-- SnappleX
All of their conversations are encrypted with the same key. If they had any interest in protecting your privacy then they would have built in OTR or some other FOSS end to end encryption.
Only stupid people would rely on Skype for security. It's got nobody looking at the code other than those who are obliged to NOT reveal publicly insecurities. If it's not free software maintained in a public manor (public CVS, etc) so that other developers can scrutinize the source code easily as changes are made you have to assume it's comprised. That is why our dependent on nVidia, ATI, and other proprietary software is so dangerous. We really need to be more concerned about the BIOS and other non-free microcode your system depends on. None of us really know whats inside our computers. Richard Stallman might be a paranoid individual. However he is not wrong about these issues. His concern is completely valid. Your phone IS a tracking device, it IS being used by the government to track people, it IS being used in investigations, those cameras on the roadway ARE being used by lawyers to attack exs in divorce situations, our privacy IS non-existent. All of these things don't concern the majority of us until after we have been involved in legal matters. My mom thought I was nuts until she had a school pupil's mom threaten legal action (not that she did anything wrong). The point is even in cases where there is nothing wrong you are doing these legal actions WILL expose information that aught to be private. And keeping that information private is something near impossible to do. We have the largest incarceration rate in history (USA at least) and just about anybody can be brought up on serious criminal charges. AND depending on your skin color/sex/and a handful of other factors your chances of seeing jail time are astronomical.
A black male born in 1991 has a 29% chance of spending time in prison at some point in his life.
http://www.buildingblocksforyouth.org/overrepresentation.htm
Aside from not padding its encrypted packets, thus leaking data via phonemes, etc., MS will certainly be complying with the "law" to furthest of their abilities -- and then some, I suspect. MySpace was known to essentially gift-wrap user data and send it to law-enforcement, probably with chocolates too. Although it's not an entirely unreasonable question, I think paranoia can be liberally applied to the question of Skype's security.
One thing that really peeves me about Skype is their assignment of a generic number which my contacts sometimes receive. If a contact attempts to return my call, an audio recording essentially indicts the user with a ridiculous legal disclaimer, blabbing about illegal activity and so on. A little vid I made describes it: http://www.youtube.com/watch?feature=player_embedded&v=9ie_0aY1DM4 -- I would love an alternative to Skype, but such would require a serious amount of funding.
It is also odd that the NSA offered so much money to get into Skype, all whilst it was leaking. Perhaps I am missing something.
Forward! -- Emperor Norton, 2012
The first word in the article title is "Microsoft". Whatever the topic that follows, it's obviously time to change.
My mom's Skype account was recently hacked. Apparently the hackers were able to abuse the Skype Manager system to gain control of her account without her authorization, transfer her account balance, and reset her password. Skype's customer service has acknowledged the problem but has not been able to restore access to the account yet.
(I don't know any more details than that, as I haven't been involved.)
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Either get in and be serious or don't.
Stop buying up companies only to mismanage them into oblivion.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
"When asked repeatedly a Microsoft spokesperson refused to confirm or deny that Skype conversations [could be monitored]
Then it's not. When you have to guess, in this case, whether skype is secure, assume the worst. Absence of proof of security is proof of no security.
--
BMO
We need to be reminded constantly, because of our short attention kittens.
Jesus when did 4chan get a moderation system and how did I manage to mistype slashdot.org?
Skype is about as secure as your mobile phone's GSM chip which has a deliberate flaw (backdoor) to allow hacking of your phone call.
Take Nobody's Word For It.
Why now? How does Microsoft change anything? It was time to consider more secure alternatives from day zero!
God, root, what is difference ?
The only thing I use Skype for is to talk to my litle boy who lives with his psycho...er..um, I mean mother in Finland (step-dork works for an American company there) and to talk to my oldest son who lives in Kentucky. No high security stuff there. Younger son talks about who he has "pwned" in HALO. Older son talks about married life and jobs stuff... So, if they have to listen in on that...then, as my teen daughter would say, "It's like, whatever"
All bigger VoIP software dev company already has all these (TCP, HTTP tunneling, encryption). Check Mizutech or Voipswitch for example.
What do you mean, change? I never used Skype in the first place, _because_ it's an obscure binary blackbox.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Why on earth did you think Skype was safe before they filed that patent? It's closed source, so there's no way to tell how exactly it encrypts the communication. There have been hints back in 2008 that Skype has a backdoor for certain government agencies.
53365 41569 85536 19375 22281 45457 96946 98407 78361 96749 44575 74405 94739 73311 81572 28840 97621 66497 23785 85909 43182 7351 27822 31921 30337 86565 14124 15044 59008 43856 7453 14209 10434 76372 79347 97727 8559 30275 54987 14533 19689 94819 90347 73946 61398 14071 34561 73464 21018 67803 67205 28343 29108 50184 40458 41577 93906 92530 62123 28375 79076 34707 27012 75354 98909 48689 41472 71402 12712 57329 88590 94530 23203 71571 50141 77013 22558 90149 35361 99738 84109 67214 66395 85931 67730 55421 35546 74255 92579 74643 80450 51817 32164 39813 19861 18689 3556 5296 54951 37303 55107 47762 68845 92447 5203 14699 50586 50582 48298 11498 28795 60783 23920 86486 25007 83891 39322 318 26985 71285 47125 33822 38282 40198 5550 96688 81896 8604 90735 48325 23074 59438 88156 31749 29147 1278 63317 51554 2749 80618 635 97808 8833 79447 3849 29148 65623 1119 71294 80392 84974 7326 95044 52683 28540 19526 84157
Why not just add another layer of software? Put a layer on top of the OS that encrypts the audio stream itself before introducing it to the part of the audio system that introduces it to Skype into an unlistenable digital mess, and then put that same software layer on the receiving end in order to decrypt it? The overhead seems rather minimal, and you could solve the crypto problems with existing key systems.
When asked repeatedly a Microsoft spokesperson refused to confirm or deny that Skype conversations [could be monitored]
Skype was just purchased by Microsoft. This is a wild guess, but the software may not be well written, and MS may still have some hard time to figure out what it does exactly, and where. The MS guy may just have answered out of incompetence.
Slashdot, fix the reply notifications... You won't get away with it...
Of course it isn't secure in that sense. Of course your calls can be monitored and recorded.
If that is not the case then Microsoft are in breach of US laws regarding telecommunications (some brought in over recent years under the banner of national security, some that have been around longer).
If calls could not be monitored when they bought Skype, they will have changed that soon after, or if they still haven't sorted that yet they will be actively working towards that goal as we speak. Whether the law is right to expect this is a completely different discussion, MS and legal entities like them do not have the luxury of ignoring that law just because doing so might upset their customers (after all if they could get away with ignoring those regulations, what else might they try the trick with?).
tl;dr: No, it isn't truly secure. I'm, not sure why people thought it might be.
Can anyone tell whether Skype, Jitsi or any other similar service now works w/ IPv6? From what I understand, these sort of applications require end to end connectivity, and since it's increasingly rare in cases of IPv4, I was wondering how they are w/ IPv6. Any idea?
"Citing âoecompany policy,â Skype PR man Chaim Haas wouldnâ(TM)t confirm or deny, telling me only that the chat service âoeco-operates with law enforcement agencies as much as is legally and technically possible.â"
Well, what do you expect? He is a PR person. He can't answer that question, unless the legal department has told him what answer to give. And we haven't actually seen the exact question that was asked and the devil could very well be in the details. Slight difference in questioning might give completely different answer.
Just as an example: The headline here says "Microsoft won't say if Skype is secure or not". The summary asks whether Skype conversations [could be monitored]. The article headline asks whether Skype can eavesdrop on your conversations. These are three different questions within five minutes, so we cannot possibly know question the PR man refused to answer. My guess: None of those three.
Microsoft can't be trusted with anything. Why would anyone want to use software by a monopolistic corporation that is a rampant privacy abuser ? They are just as bad as Google and are getting worse. I laughed my ass off when they sufferred their first quarterly loss - it's about bloody time. The only way for Microsoft to go now is down and out.
Billy Boy had better sell up now else risk losing his "fortune".
and pay no attention to that man behind the curtain.
NSA whistle blowers warn that the US government can use surveillance to 'see into your life'
Just knowing who you're talking to can be all the info they need.
http://xkcd.com/1085//
Most of time noone cares what you have to say
When someone cares they will have the means to listen in
http://xkcd.com/538//
If you think companies are going to let all their systems talk to the internet at large just because they use IP6 then you're off with the pixies. Its almost certain that most corps will limit ip6 devices to link local only addresses and use some form of address translation as a "security" measure. The only thing IP6 will gain us is huge increase in general network complexity.
Skype has been compromised since MS bought it and brought it to the shores of USA.
I am done with it as soon as my subscription runs out. Looking for a new overseas VOIP where privacy is still important.
IMHO Microsoft is ruining skype! Skype has overall degraded in quality would not dail on my android phone and from my computer the voice & video is choppy. My internet has not changed.
I don't use Skype, but I assume they are not happily wasting bandwidth. I'm pretty sure the audio is being reinvited whenever possible (meaning it's just signalling going between you and the skype server, and it just tells you the IP of your peer, and you send your media straight over there through RTP.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
In the US, government requires that every service be monitorable. You CANNOT have a private voice service open to the public. It hass been that way for a long time. The politicians YOU voted for put that in place.
To...what?
Last time i looked for an alternative, the only thing I could find was a crappy HP knockoff.
What do I know, I'm just an idiot, right?
Apparently MS got the go ahead to drive users who care to Jitsi. This way they know where to listen for the good stuff.
If you didn't switch then, it's too late.
Stop with this nonsense.
Jitsi is not a real alternative for grandma and grandpa.
I'm a big retard who forgot to log out of Slashdot on Mike's computer! LOOK AT ME.
I thought this was common knowledge.
I even remember hearing(reading on Slashdot about 2-3 years ago) from one of the guys actually working on a contract in Germany; he was tasked with providing this functionality (backdoor), for the German government.
Can't remember enough to be able to find/search for the discussion but others may have more luck (and time).
I don't think Skype would have been legal in Germany had this "feature" not been added..
Like my facebook account, i don't publish info i don't want strangers to know... And i don't care is someone see me or hear me saying to mi gf "i love you" over Skype... it's very simple ppl, you don't want your info open? well..leave it at home...
And no, we will not switch to your unheard-of, no-name, pet-fav, video conferencing software. Definitely not because some guy from the tor project said we should.
Standards. They were written for some reasons!!!
There are already standards for handling VoIP calls: :-P) :-P).
- SIP, The Jingle part of XMPP (and H323 althoug it's more akin to "ISDN-over-IP"
(and basically SIP and Jingle are just fancy protocols to open a RTP media connection between two peers).
Anything software supportin SIP or Jingle can call any other software supporting it.
You could be using Jitsi and I could be using Pidgin and you could still talk over VoIP (over a RTP connection to be precise
Or we could use any other software SIP or Jingle (like Ekiga, Twinkle, Goolge's GTalk client, psi, etc.) or we could be using an actual hardware phone which support SIP (there are SIP IPphones in enterprises, there are SIP phone wireless over Wifi for home use, there are SIP application for Android phone, etc), or we could even be using one of these fancy modems with SIP telephony support and connect it with any DECT wireless phone or plug any wired POTS into it (for exemple we have a Fritz! modem with my housemates).
- There are already NAT traversal solutions beside skype (which use Kazaa's NAT traversal if I remember correctly).
The current top of the best is ICE which combines several older techniques (STUN, UPnP, TURN, relay servers) and is widely supported.
As long as your software supports ICE (as most of them currently do) you can call or get called behind a NATed router.
(I think virtually any modern VoIP client support some NAT traversal and lots support the full ICE standard spectrum).
- There are way to implement complete end-to-end encryption over an RTP connect and ways to detect for a Man-in-the-Middle attack/eavesdroping.
SRTP (for encryption) and ZRTP (for key exchange).
And by complete I mean anything leaving your trusted part is completely encrypted and is only decrypted when arriving at the destination PC.
It's not a black box like Skype, it's opensource that can actually get audited for bugs/exploits/backdoors.
And again as it is a standard, any ZRTP/SRTP software can communicate with any other.
Jisti to Twinkle just to give a possible combination.
- For accounts there are a lot of providers, including very well known.
If you have a Google account, you can connect to the GTalk XMPP server (and on Windows, you can even install a plugin to do VoIP from within their web application, without even needing an actual Jingle client - though it doesn't support encryption for obvious reasons).
If you have a Facebook account, you can connect to their XMPP gateway (and probably even manage to do VoIP as long as both ends use a Jingle-compatible software - I don't think Facebook's voice applet is bridged over their XMPP gateway)
So you don't even *need* to ask anyone opening some new account. Most of the people you know probably have some account that they can already use.
- For interconnecting with regular networks: there are tons of providers with various prices and conditions.
There's much more choice and diversity than Skype only SkypeIn/SkypeOut paid sevice.
But okay, it's a minor inconvenience, because encryption doesn't work for obvious reasons.
So in short, moving out of skype has nothing to do with starting to use just one obscure software that nobody has ever heard about.
It's just about using the standards that the rest of the world (the non-Skype part) are using wiht any software of your liking.
Our families all use Skype and it works fine.
Some of them use Google, which means they can start communicating securely with you simply by installing any Jingle/ZRTP software and login with their GMail/GTalk credentials (Jitzi is just a random example, cited because Tor's creator recommends it).
Same with any other service that provides XMPP
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Well and that's the small advantages of living in a true direct democracy.
Under those circumstance, the majority of the population *has* voted for it/against it.
In Switzerland, for example, there is no law forcing VoIP providers to cooperate with police. For such a "Mandatory backdoors" law to exist, it would need to get voted by the population.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
If I was going to be discussing anything which I felt required ANY level of security, I sure as hell wouldn't use Skype or any other centralized service.
Appart for a few basic log-in/bootstraping stuff, skype is NOT centralized. It's distributed and the traffic is either peer-to-peer or goes through a random supernode.
The problem of Skype isn't that it's centralized or not. (In fact, its pretty much possible to get some privacy even in the case of a centralized structure - in fact thats what the OTR plugin provides for text chat in Pidgin, Adium and the like put a layer of end-to-end encryption above anything).
The problem of Skype is that even its encryption layer is a blackbox. You can't have a guarantee that it is end-to-end. It might be that it uses some key encryption system for which Microsoft could give the private key if asked to. And then the encryption key of any intercepted data could be easily obtained with the private key and the data recovered.
The encryption layer it self, and anything staying above it (the interface) should be auditable.
But then again, I'm not going to go through the effort of setting up a highly secured comm channel just so I can hurl insults at the people who are shooting me in the back instead of laying down covering fire.
But you should. Not that your insults need to be protected from eavesdropping. But because for encryption to be really efficient, it needs to be pervasive.
If people only use occasionally encryption, when they need privacy, the use of encryption it self is an information. (Encryption = Hey he's speaking about something he doesn't want to know. I bet there is some material to blackmail him / to threaten him)
If everybody uses encryption always, there's no way for BigBrother to tell if you're discussing about bank account numbers, embarrassing personal history or political opinion which aren't inline with the ruling dictator, or if you're simply shouting insults about your raid teammate's genitalia or calling your grilfriends mushy names.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
OTR for text works with skype because skype just take text input and sends it as-is over its network. It doesn't make any difference if you're typing cleartext into skype's window. Or if Pidgin is sending OTR-encrypted text over the skype adaptor-plugins to skype.
Skype will transmit "Hello World!" as wel as "Uryyb Jbeyq!"
The problem is that Skype doesn't work that way for Audio and Video. Skype expects to receive plain Audio and Video from the webcam and then process the media stream it self (lossy compression and then encryption).
So Skype needs to receive regular video actual images in it and audio streams with actual sounds in it, you can't feed it with pre-encrypted streams like OTR does for text.
From that point on 2 solutions:
- You try to use some kind of analogue encryption (which produce an audio/video stream as output) and the "encrypted stream" will get compressed and sent.
But nowadays, with the available processing power, it's almost trivial to break an analogue encryption on the fly. (Nagravision for example).
- you use a modern very high performance compression, a modern encryption, and the encode the results in a form which could be fed to Skype as an audio/video feed (for example: send the data as video of QR codes, and modulate the audio data stream into a soundwave). But given the lossy nature of Skype's own audio/video processing, the resulting bitrate is going to be catastrophic.
At that point it's much more easy to simply install any SIP or XMPP/Jingle capable software, which can also do ZRTP/STRP encryption on its RTP streams.
the mentionned Jitzi is one solution, but as all these are standards (SIP, XMPP, Jingle, RTP, SRTP, ZRTP) any other software could do the trick and interoperate.
(You could be using jitzi, and i could be using twinkle. but as both support zrtp and sip, we could still get a secure end-to-end channel).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Yes, you can wrap Skype (at least for text) there's an API for that (well several different APIs actually: you can do it directly, over DBus or over network).
Text is wrapped as is. (Skype will send and receive any arbitrary text string it is asked to).
For Audio the situation is slightly different: Skype will start its own window, and will get its audio stream from the sound system. Feeding audio from another software would require fumbling around with the audio routing framework of your operating system (like pulseaudio in most modern Linux distributions).
Pidgin is a possible solution (and other software using the same backend like Adium or Telepathy) :
- pidgin supports among other open standards like XMPP and Jingle.
- you and your relative can log using their Google Talk credential and chat with any one else using XMPP. (Facebook chat credential, but due to the way Facebook's XMPP gateway works, they can only reach other Facebook Chat users. Not arbitrary XMPP users).
- as pidgin supports Jingle (and ICE for NAT traversal), you can also call people that way.
- pidgin has also a nice 3rd party plugin done by eion robb which can wrap skype.
Contacts are shown in the pidgin contact list. And due to how pidgin works, you can bind contact from several networks as a single buddy.
Text directly shows directly in the pidgin chat window (and are grouped by buddy. You can seamlessly jump from GTalk to Skype, etc.)
Skype launches its own calling window when voice or video calling.
- for text encryption you can install the OTR plugin. If both ends have OTR (no matter on which software) text message will be encrypted end-to-end, no matter on which network (so you can even force end-to-end encryption for text messages on Skype if both ends use OTR above a wrapped skype).
The only draw back is that Pidgin doesn't support ZRTP encryption for Video and Audio yet, unlike the suggested Jitsi.
So currently Pidgin is okay for your idea to move progressively people to another software which also supports open standard. But it's not okay if you want to secure your privacy (the needed part of the standards aren't supported yet).
I don't know about Telepathy, though (it uses a different set of libraries for chat in addition of Pidgin back-end).
Jitzi does do ZRTP encryption for Video and Audio, supports standards (XMPP and SIP, for example) and even reverse engineered protocols (MSN, etc.)
But nobody has written a Skype wrapper for it, as far as I know.
But its just a question of developer time:
- there are already opensource ZRTP implementations, so it's not über hard to add support for ZRTP into Purple (Pidgin/Adium's back-end)
- skype API is well documented and there's even the source code of the purple plugin as an example, so it's not über hard to implement Skype wraping on Jitzi.
With SkypeKit (the newer API to acess the Skype network. Basically just a library instead of wraping the whole Skype in background) the situation is slightly more complicated due to its licensing (according to Eion Robb - no easy way to integrate into opensource).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
For me, the main reason I do not have Skype on all the time is because my computer already runs too many things in the background as it is.
From experience: skype doesn't use that much ressource when running in the background.
(I'm running Pidgin on Linux with the purple-skype wrapper plugin).
Also, my computers make poor dedicated phone devices. So to me, Skype does not replace the cell phone in my pocket. And my long distance phone bills also are not very high to begin with, so it's not like I even need to bother with that kind stuff.
And the Cellphone could be easily running a standard SIP or XMPP/Jingle client (for example, there are such applications of android. But as the protocols are standards, apps could be developed for anything with enough processing power).
it combines the cellphone's nice form factor, with all the advantages of VoIP using an open protocol.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Can all the alternatives solemnly promise me that they're secure too?
If they use open source code to implement open standard, they are much more easy to audit.
You might not be able to do it yourself, but with enough other eyeballs looking at it you can guess that problem will be easier to spot.
You could even start crowded funding (say, Kickstart) to get knowledgeable experts paid to review the code.
That's not possible with closed black-boxes like skype.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]