Slashdot Mirror
Microsoft Won't Say If Skype Is Secure Or Not. Time To Change?
jetcityorange writes "When asked repeatedly a Microsoft spokesperson refused to confirm or deny that Skype conversations [could be monitored]. Microsoft was granted a patent a month after purchasing Skype that covers 'legal intercept' technology designed to be used with VOIP services. Is it time to consider more secure alternatives like Jitsi like Tor's Jacob Appelbaum suggests?"
The more shocking idea is the assumption that any major VOIP service based in a major country does not allow intercepting on their services.
If you are serious about privacy Skype was never even an option! ;)
Earn Cash and Prizes, and get free stuff!
If there is a third party running the server in the middle, there can be no trust. Run your own server if you need security. There are lots...
However, with minimal security, you can at least avoid any automated eavesdropping. And arguably, there is consumer level security that can stand up to almost anything short of someone hitting you with a wrench.
It's been assumed for a long time that Skype is insecure, as one would expect from a prominent closed-source solution like that. The thing that's new (to me, I hadn't heard it) is that Microsoft purchased Skype. I have no particular fondness for Microsoft but they're more upstanding than Ebay, which gave up a lot of customer information after 9/11 without warrants and denounced other companies for not doing the same.
I just tried Jitsi while /. was in maintenance mode. It does not work on this very standard Win7 box. Incoming audio is missing; logs are missing. Uninstalled already - not usable. Bria works fine. My VoIP server (3CX) is on the local subnet.
But even beyond that, Jitsi is not a solution; it's a component. The only way to make it into a solution is by selling your soul for cheap to the likes of Google and Facebook. That would be counter-intuitive for a product that sells itself as a secure thing.
The only reasonably secure way is to run Jitsi on your own SIP server. However that is not an exercise for everyone. A geek can deploy a SIP server, but a common man cannot even understand what we are talking about here.
I'd say that 3CX people already have a solution. First, they have a TCP tunnel that you can use to go through firewalls and specifically NAT. Then they support encryption. And finally, their stuff works. (This is important, despite what some geeks say.) They also have a client for Android (besides the usual suspects.)
However in terms of simplicity Skype leads the pack.
. . . with my Family are of interest to any government. Come on, Skype is for keeping in touch with the old folks at home. For anything serious you would use something more peer to peer without any 3rd party involved. And even then . . .
Cheers, Nostrada
But of course, we _are_ talking about Microsoft in this case
Which comes with benefits too. Microsoft being a big, publicly traded company with offices in all major countries has to follow consumer protection and privacy laws too, and they can be in for a world of hurt if they don't. Using some 'inherently private' setup runs the risk that somewhere along the line that system both has a bug in it, and that bug is being actively exploited against you - and you have no recourse against the company running it (or the peers).
Here's my question - I'm hoping some knowledgeable slashdotter with some IP nouse can clear up my confusion. Are there any technical, or any legal reasons, why a 3rd party app cannot simply wrap Skype, at least for voice calls (leave video aside for now). Lots of 3rd party apps present as printers to the OS, and when you print to that virtual printer, they create an eps file or a PDF file or whatever.... Why is it hard for a 3rd party app, similarly, to present as a headset (mic + speakers) to the OS, allowing the user to run Skype as well as the 3rd part VOIP app, and select that headset in the Skype audio options. You could then run your 3rd party VOIP solution, and have Skype set up to start in the background. calls in either direction to others on Skype could be handled transparently in the 3rd party VOIP app, and that would give users the chance to gradually get their network of friends and family swapped over to open, standards compliant VOIP solutions, without having to give up on contact with those running Skype (face it, that's everyone), or switch between 2 apps for calls (I understand the API already exposes things like accept call...) If this is a viable way to overcome the powerful networking externailities that Skype now has working in its favour as a barrier to new entrants, has it not been done because of a)legal b)technical c)marketing or d)other issues?
ceci n'est pas un sig
And if we're to the wrench hitting level, breaking into your house and installing a mic bug in your keyboard works a treat for tapping your VOIP conversations.
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
That's a rather defeatist attitude.
Sure, the government could fake an anal probing and install their monitoring infrastructure in my nether cavities, but is it worth all that trouble?
It's not about if you can be tapped, but how much resources were used to do the tapping. ZRTP (endpoint-to-endpoint encryption) mentioned in their alternative Jitsi, would substantially raise the bar for casual automated interception.
That's the idea really. Make it to where everything they intercept is heavily encrypted with well used, well scrutinized encryption methods. If they want to bypass that encryption it will require having direct control over your device, to have direct influence on the platforms and software, or well known backdoors in software. That substantially raises the bar on multiple fronts since it will require specially crafted malware, special legislation (boy will that be unpopular), and maintained secrecy (conspiracy theorists say that have it already) with cooperating companies. As for the secrecy, we are discussing patented technology to help the government automate eavesdropping right? Not like it is a big secret....
The article has the answer already. It is time to move on. Find a newer platform that will not allow eavesdroppers and act only as a middleman to setup heavily encrypted communications. There are plenty of SAAS providers that only store encrypted data so they can turn over that data on demand to law enforcement and not have the keys.
What may help the most, is what is lagging ass... IPv6. I can see a future with DNS records and open source P2P services that will allow us to directly control who can initiate communications with us. Once you get around not requiring a middleman to punch through NAT for VOIP services it becomes substantially easier to perform call setup and tear down.
If you are getting concerned _now_, then you have been asleep at the wheel.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
"Anything transmitted online - whether it be VOIP or cleartext or whatever - can be tapped"
I would dispute this. Or do you mean "They could tap it given several centuries and all the computing power on the earth" ?
Some of encryption is that good, and no I don't believe that the secret, shadowy, magical NSA have backdoors in every encryption library on the planet.
That's funny.
What 'world of hurt' would Microsoft be in for?
Don't you remember what the US gov't did to help out their friends at AT&T and the rest of the 'conventional' phone industry when they happened to get caught assisting the gov't in mass recording of phone calls?
Is there any gov't that is not interested in even occasionally listening in some Skype calls? No. Any countries passed a law preventing wiretapping VOIP calls? No. So having a back-door into every call is legal around the world.
All that's left to argue about is how that back-door is used. And surely you can trust Microsoft to do what's right.
And I'm sure they've only occasionally wiretapped calls where neither user is within the borders of the requesting country.
Sleep your way to a whiter smile...date a dentist!
Then check out his latest venture
https://silentcircle.com/
They patented VOIP wiretaps so no one else could do it. You can sleep soundly tonight knowing that if anyone* even tries to wiretap your calls, they'll slap them so hard with a patent infringement suit their grandkids will still be indebted to Microsoft.
*The term "anyone" does not include government agencies, Microsoft business partners, affiliates or Microsoft itself.
It isn't entirely clear whether PC-PC skype connections would be treated as part of that 'interconnected VoIP service' or whether, because they aren't directly interconnected, they are treated separately.
As someone involved with engineering a CALEA intercept appliance, I can offer a practical answer to your question. If you operate a network under jurisdiction of the United States and you receive a court-ordered request to intercept packets transiting that network to or from an IP address or a person as identified in that court order, you must intercept those packets and only those packets, and you must make them available for retrieval by the law enforcement agency identified in the order. If you fail to do so, you're subject to a substantial fine for each day of non-compliance.
It doesn't matter what data the packets may be carrying, or whether the LEA knows how to interpret them. Your responsibility is simply to perform the packet capture and make the data available. What Microsoft thinks about this has absolutely no bearing on the problem.
Parity: What to do when the weekend comes.
caught assisting the gov't
That is, immediately, a separate problem from one of them just spying on you for their own purposes, selling that information to other people or the like.
Wiretap (and intelligence) are lawfully chartered, you may not like it, but you have to accept that governments can do those things, because they've given themselves the right to. They also tell companies what they can't do, and penalize them for such behaviour if they are so inclined, an entity not attached to country where you have legal standing can basically do whatever the hell it wants to you and you can't do anything about it.
"When asked repeatedly a Microsoft spokesperson refused to confirm or deny that Skype conversations [could be monitored]
Then it's not. When you have to guess, in this case, whether skype is secure, assume the worst. Absence of proof of security is proof of no security.
--
BMO
When I heard Microsoft had purchased Skype, my first thought was "Skype is dead". It only remained to find out in what way it met it's demise.
Yes its back to using my Nokia ... oh wait!
I like how you phrased that. that the govs *give themselves* the right to wiretap. this was NEVER a right transferred from the people to their rulers.
"but we can catch bad guys!"
yeah, and you can catch good guys, too. is this balance worth it? when we all lose our sacred (imho) right to private comms with each other, as we choose? when we have to wonder 'is someone going to use this out-of-context such and such against me if they tap into my comms?'
chilling effect. its here and its disturbing.
but the govs gave themselves this right. they STOLE this right without due process.
no one seems angry about it as its all explained as 'well, if we catch bad guys, how can you be against this?'
we once used to think that it was more just to let a few bad guys go than to have even one innocent guy be punished. but we have broken this idea with our privacy. we think that trading privacy for security is a 'win'.
we didn't always think this way, though.
every time I hear 'lawful intercept', I throw up a little. it makes me sick what we do to our dignity and personal rights. its NOT a fair trade! and we were NOT asked!!
--
"It is now safe to switch off your computer."
I don't disagree with your comment, but..
ZRTP (endpoint-to-endpoint encryption) mentioned in their alternative Jitsi, would substantially raise the bar for casual automated interception.
I'd say it'd make it nearly impossible (without resorting to active attacks using malware and stuff like that). It uses no PKI, unlike HTTPS, and you can enforce and define which encryption methods to use (public cryptosystem, hash function, cipher). If you're worried about the NSA being able to break AES, you can run your conversations over AES+Blowfish+Serpent or something silly like that.
If they want to bypass that encryption it will require having direct control over your device, to have direct influence on the platforms and software, or well known backdoors in software
True, but in the case of Jitsi (and stuff like Pidgin-OTR), there are no "keys to be stolen", unless your device is already compromised during the session: it has perfect forward secrecy, which means that each session uses a random key which gets deleted at the end of the session, effectively preventing "rubber-hose cryptanalysis" of past conversations (assuming none of the endpoints is logging the conversations is cleartext or something).
Given this and the point above, Jitsi seems pretty good, and I'm not seeing how any type of automated eavesdropping could be done against it, as long as the two endpoints are "clean".
IBM Model M FTW!
Halflife of 20 years and it will deafen any bastard listening in to a bug within 10 feet of it!
Just knowing who you're talking to can be all the info they need.