Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Won't Say If Skype Is Secure Or Not. Time To Change?

Posted by Unknown on from the disinfo-campaign dept.

jetcityorange writes "When asked repeatedly a Microsoft spokesperson refused to confirm or deny that Skype conversations [could be monitored]. Microsoft was granted a patent a month after purchasing Skype that covers 'legal intercept' technology designed to be used with VOIP services. Is it time to consider more secure alternatives like Jitsi like Tor's Jacob Appelbaum suggests?"

12 of 237 comments (clear)

  1. Seriously? by Anonymous Coward · · Score: 5, Insightful

    The more shocking idea is the assumption that any major VOIP service based in a major country does not allow intercepting on their services.

    1. Re:Seriously? by arbiter1 · · Score: 5, Informative

      agreed, its dumb to assume your calls can't be tapped. Its like your using WIFI at McDonald's and thinking you are 100% secure. MS has to work within the law.

    2. Re:Seriously? by Anonymous Coward · · Score: 5, Insightful

      This is the sort of thing that should be attacked at the source, which is the government, not the companies/people that are obliged to abide by the laws set out by that government.

  2. seriously? by GNULinuxGuy · · Score: 5, Insightful

    If you are serious about privacy Skype was never even an option! ;)

    --
    Earn Cash and Prizes, and get free stuff!
  3. Like any of my conversations . . . by Nostrada · · Score: 5, Insightful

    . . . with my Family are of interest to any government. Come on, Skype is for keeping in touch with the old folks at home. For anything serious you would use something more peer to peer without any 3rd party involved. And even then . . .

    --
    Cheers, Nostrada
  4. Re:If there is a third party... by silas_moeckel · · Score: 5, Informative

    I would have to disagree. I can insure that my communication is not tapped between me and other parties even going through third parties. This is the basis of public key crypto. The third party can still track who I communicated with but not what was said. Tor and similar systems are meant to take care of that (if your seriously paranoid systems to connect two parties have existed since well before the modern computer).

    --
    No sir I dont like it.
  5. Re:I'm actually relieved to hear this by tooyoung · · Score: 5, Funny

    The thing that's new (to me, I hadn't heard it) is that Microsoft purchased Skype.

    Who know what wonders the rest of 2011 will bring for us!

  6. Re:VOIP by davester666 · · Score: 5, Insightful

    That's funny.

    What 'world of hurt' would Microsoft be in for?

    Don't you remember what the US gov't did to help out their friends at AT&T and the rest of the 'conventional' phone industry when they happened to get caught assisting the gov't in mass recording of phone calls?

    Is there any gov't that is not interested in even occasionally listening in some Skype calls? No. Any countries passed a law preventing wiretapping VOIP calls? No. So having a back-door into every call is legal around the world.

    All that's left to argue about is how that back-door is used. And surely you can trust Microsoft to do what's right.

    And I'm sure they've only occasionally wiretapped calls where neither user is within the borders of the requesting country.

    --
    Sleep your way to a whiter smile...date a dentist!
  7. Do you trust Phil Zimmermann? by jhaar · · Score: 5, Informative

    Then check out his latest venture

    https://silentcircle.com/

  8. Re:Ok... by starfishsystems · · Score: 5, Informative

    It isn't entirely clear whether PC-PC skype connections would be treated as part of that 'interconnected VoIP service' or whether, because they aren't directly interconnected, they are treated separately.

    As someone involved with engineering a CALEA intercept appliance, I can offer a practical answer to your question. If you operate a network under jurisdiction of the United States and you receive a court-ordered request to intercept packets transiting that network to or from an IP address or a person as identified in that court order, you must intercept those packets and only those packets, and you must make them available for retrieval by the law enforcement agency identified in the order. If you fail to do so, you're subject to a substantial fine for each day of non-compliance.

    It doesn't matter what data the packets may be carrying, or whether the LEA knows how to interpret them. Your responsibility is simply to perform the packet capture and make the data available. What Microsoft thinks about this has absolutely no bearing on the problem.

    --
    Parity: What to do when the weekend comes.
  9. Skype is insecure. by bmo · · Score: 5, Insightful

    "When asked repeatedly a Microsoft spokesperson refused to confirm or deny that Skype conversations [could be monitored]

    Then it's not. When you have to guess, in this case, whether skype is secure, assume the worst. Absence of proof of security is proof of no security.

    --
    BMO

  10. Re:Is Jitsi more secure? by FireFury03 · · Score: 5, Informative

    I will ask a friend who works in IT if he can help me, but I'm pretty sure he will tell me that he's not familiar enough with SIP to help me out.

    Googling for "Asterisk" is a pretty good place to start.

    I'm not entirely sure why it's so complicated in this day and age to cut out the middle men and connect with your relatives directly through the Internet, but well, that's the way it is at the moment.

    Largely you can blame NAT. Some background on how SIP works when you place a call to someone:
    1. The calling phone sends a SIP message to the callee's phone asking it to ring. The SIP message also tells it where (ip address / port) to send the media (audio / video)
    2. The callee's phone rings
    3. The callee picks up
    4. The callee's phone sends a SIP message to the caller's phone telling it that the call has been picked up. The SIP message tells it where (ip address/port) to send the media.
    5. Both sides start sending media over RTP to the other, since they have now exchanged media destination address details.
    6. The two parties have a conversation.
    7. One of the parties hangs up
    8. The hanging up phone sends a SIP message to the other phone telling it the call has terminated
    9. Both sides stop sending media

    This fundamentally does not require any middle-men - you can tell your phone to call someone else's directly if you know its IP address (which you could discover using DNS, for example). However, there are some issues with this simple view on things:
    A. In the real world, phones don't have static IP addresses, they move around the internet. This problem is fixable with dynamic DNS, although now you've introduced a third party (the DNS server).
    B. People usually have firewalls between them. If the callee's phone isn't directly accessible from the caller's network, the caller can't send the initial "ring" SIP message. This could be fixed by poking a hole in the firewall for port 5060. More usually its fixed by having a SIP registration server somewhere on the internet - your phone connects to that server and that server is responsible for relaying SIP messages to it. So calling phones actually send the SIP packet to the registration server rather than directly to the callee's phone (this also fixes problem (A) without the need to resort to dynamic DNS too, since the callers nw only need to find the registration server rather than the phone itself). Of course, your registration server is a "middle man", but luckilly only carries the signalling traffic - the media still goes directly between the phones, which is good since it takes the shortest network path, therefore inproving the quality of service.
    C. This one is the killer - NAT. Remember the phones exchanged addresses to send the media to? Well, the problem is that once you stick NAT in the way, those addresses change... and they change in a way that is completely unpredictable. So now the endpoints have no idea where the hell to send the media. The work around to this is to send the media via a server too. And there you go, the dream of true peer-to-peer VoIP has been completely shot out of the sky.

    Once IPv6 is widespread we can go back to just sending the signalling via external servers rather than the entire media stream, but I'm afraid NAT is way too widespread to get away with that on the IPv4 network.

    Of course, there's nothing stopping the phones doing end-to-end encryption on the media, which would largely make the existence of a middle-man irrelevant, from a security perspective. On a closed system like Skype, there's no way to know which nodes are able to decrypt/decode the data though, so in that case you're always going to have to trust the vendor to tell you the truth instead of being able to independently confirm the security of the system.

    --
    http://blog.nexusuk.org