Slashdot Mirror
Microsoft Makes Skype Easier To Monitor
In a follow-up to a story earlier this week, derekmead writes "Skype has gone under a number of updates and upgrades since it was bought by Microsoft last year, mostly in a bid to improve reliability. But according to a report by the Washington Post, Skype has also changed its system to make chat transcripts, as well as users' addresses and credit card numbers, more easily shared with authorities. As we've already seen with Facebook and Twitter, big Internet firms aren't digging their heels in against government requests, which shouldn't come as a shock; angering the authorities is bad business. The lesson then is that, while the Internet will always retain a vestige of its Wild West days, as companies get bigger and bigger, they're either going to play ball with governments or go the way of Kim Dotcom."
sorry, not going to do it.
Time to switch to something where we actually know what the software is doing.
...will this mean "wiretapping" via traditional warrant methods, or warrantless eavesdropping, either by non-warrant request or by essentially giving them the keys to the castle?
If it's traditional warrant methods then I'm not really any more concerned than I am for regular phone calls on POTS lines. If it's otherwise then I'm glad that I never set up a Skype account.
Do not look into laser with remaining eye.
People up to something will use a smaller, more secure system, perhaps even rolling their own communications (hey, it's not that hard).
So the people they really want to monitor is *us*.
Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
Umm, how about no thanks? It's time for the programmer community to develop easy to use, robust, strongly encrypted, point to point programs.
And that will happen right after ipv6 becomes standard and NAT goes away. point to point is pretty tricky to make 'just' work in our currented "ipv4 nearly everyone is behind a NAT system".
Realistically, a middle man is going to be here for a long while yet.
My computer can connect to another's computer and we can exchange encrypted traffic and we don't need anyone in the middle to snoop on us to make that possible.
You dumped your ISP?
“He’s not deformed, he’s just drunk!”
MS just seems to time some of their mis-steps so well. There is hope. I only wish some of the Linux distros didn't screw up their desktop environments just as Windows 8 was coming out and Valve was looking at Steam for Linux.
This from the TFA:
Skype has gone under a number of updates and upgrades since it was bought by Microsoft last year, mostly in a bid to improve reliability. But according to a killer report by the Washington Post, Skype has also changed its system to make chat transcripts, as well as users’ addresses and credit card numbers, more easily shared with authorities.
The " to make chat transcripts, as well as users’ addresses and credit card numbers, more easily shared with authorities" is pure speculation.
And the alleged updates "since it was bought by Microsoft last year" (supernodes hosted in central data centers) was actually started in 2010, well before the Microsoft acquisition:
http://www.zdnet.com/skype-talks-back-to-critics-on-security-and-privacy-7000001682/
But this is slashdot. Why let facts get in the way of a good rumor-fueled speculation when it promises for a good Microsoft bashing?
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
That will work until the alternative solution crosses a certain threshold of users, the founders sell out to Microsoft or Apple or Google and the new technology is monetized and put under monitoring, just like Skype and Vonage and Napster and Lindows before them. Lather, rinse, repeat.
Will Jitsi let me call home to my old wired phone?
Yes: ...BUT...
Jitzi supports the SIP standard and there are plenty of SIP-to-POTS providers around (for example, I use Switzernet which is based in switzerland and free to/from several european countries. Works with both my SIP sfotwares - Ekiga and Twinkle).
For obvious reasons there's no easy way to guarantee end-to-end encryption. So you *CAN* call home, but you won't get guaranteed privacy.
For full end-to-end encryption you need:
- a digital link from the source to the other end (which is not the case when bridging to POTS)
- the possibility to audit the software used at both ends that there are no bugs or implementation problems which could leak critical data. (So you need an opensource front-end and an opensource encryption layer, preferably using known and well tested and documented protocols (like ZRTP). And you need enough independent eyeballs looking at said code) (Jitzi is opensource so one can check that everything is properly implemented to avoid leaks).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Realistically, a middle man is going to be here for a long while yet.
Which really isn't a problem - for instance using asterisk as a ZRTP passthrough.
In theory this should cost ~$3/mo for most people to use if both ends are correctly configured.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
You dumped your ISP?
I've never tried a ZRTP connection through Tor, but in theory that's most of the necessary parts.
If governments didn't attack Tor exit nodes there would be plenty of bandwidth available for everybody to have this level of privacy.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
But if said friends have a Google account, they can already log into a XMPP/Jingle server using any compatible client (like Jitzi) and as long as both end support ZRTP encryption, the communication will be secure.
Has some tried if Jingle works between people connected on Facebook's XMPP gateway ?
In both case, you don't need to drag you whole network into a newer system, you only have to convince users to install a software supporting the necessary standard, you already have a network to leverage.
Now if someone could write a Skype wrapper for Jitzi (like there is one for Pidgin/Adium's Purple), or if someone could implement ZRTP in Pidgin, you could even have Skype and SIP or XMPP contacts in the same application.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Architecture that facilities a man in the middle attack (which is essentially what this does) is just asking for trouble. Skype used to have a pretty impressive peer to peer encryption design. No longer, I guess.
This is bad if law enforcement uses it illicitly. It's worse if some Skype/Microsoft employees go rogue, or if a hacker breaks into the infrastructure. I mean, you're baking insecurity right into the design of the frickin' product. What could go wrong?
I wonder sometimes if big brother is going to knock on the door tomorrow and stick a monitoring device right up my backside.
My comments are my own, and do not represent the views of my employer, my spouse, my children, or my cats.
Which really isn't a problem
The "problem" is that we want point to point communications (no middleman) that aren't a pain to make work.
Your solution doesn't seem to address this.
- for instance using asterisk as a ZRTP passthrough. In theory this should cost ~$3/mo for most people to use if both ends are correctly configured.
We still have a middleman (to whom are we paying $3/mo).
We still have to configure 'both ends' - this is the "pain to make work" that end users don't want.
Point to point communications with no middleman are definitely possible, but realistically aren't practical on the internet as it is.
Honestly, even with ipv6 and a global address space its not going to be easy enough -- even without NAT the edge routers in every household and business and wifi hotspot etc are going to have to let incoming calls in to your device. And that's just not ever going to happen. There is ALWAYS going to be a middleman... the only question is who.
The best we can really hope for is a decentralized non-commercial p2p cluster of middlemen.
I'm posting anonymously because I don't need attention. Here's the chronology and you can find the sources of these claims on your own.
- NSA issues a billion dollar RFP asking for a solution to wiretapping Skype
- as years pass, NSA's concerns about Skype keep on growing, they keep on lobbying lawmakers and industry officials
- out of the blue, MS buys Skype and pays an astronomical price
- buying Skype at that price makes no sense for MS since it poisons their relationships with carriers and pundits are confused
- first thing MS does is it kills supernodes and installs THOUSANDS of Linux servers running grsecurity http://grsecurity.net/news.php#Skype
- that means that ALL Skype traffic now passes through MS servers and can be easily wiretapped since MS holds all the keys and can easily perform a MITM attack
- NSA starts jumping from joy because their biggest black hole has been plugged.
- MS is happy because they are now getting regular large checks from NSA
tl;dr: Skype's a botnet and NSA paid MS to buy Skype
You mean they're going to be vindicated in the face of illegal state action?
(OK, hasn't quite happened yet, but that's the way it's going.)
mostly in a bid to improve reliability
. /. articles that try to put a positive spin on a negative situation?
Is this one of those far too numerous grassroots
The "problem" is that we want point to point communications (no middleman) that aren't a pain to make work. Your solution doesn't seem to address this.
Oh, I thought we wanted secure communications today because Skype is bugged.
We still have a middleman (to whom are we paying $3/mo).
Which is a decent deal, as compared with Skype.
We still have to configure 'both ends' - this is the "pain to make work" that end users don't want.
Yeah, brand new technology tends to require fiddling. Come back in 5 years and it should be all automatic.
Point to point communications with no middleman are definitely possible, but realistically aren't practical on the internet as it is.
Agreed.
There is ALWAYS going to be a middleman... the only question is who.
Good point. Best that those remain open source so they can be inspected. My edge routers are, though my Telco modems aren't. Fortunately, I can trust those guys to be so cheap as to not put anything with enough memory to be dangerous in my way. ;)
The best we can really hope for is a decentralized non-commercial p2p cluster of middlemen.
A good start would be for governments to stop attacking providers of Tor exit nodes. That's a major impediment at the moment.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
...where the NSA et al would mod "up" and not necessarily only all the Microsoft Trolls.
Society use your Sciences
I wouldn't say he intentionally encouraged piracy, but he must have been aware that he derived most of his income from piracy.
The above post was accidentally posted anonymously by me. It was meant to be posted in my name. Obviously, I'm not a regular contributor here.
>You dumped your ISP?
ISP is irrelevant with asymmetric encryption. Sure, they may know who I am connecting to, but that's what VPNs are for.
Not if it is an open protocol. ZRTP looks like an asymmetric encryption, you can hardly monitor that.
I can't in good conscience recommend using Skype to any business for communications, which can often be sensitive, as long as Microsoft is putting in backdoors. Need to find another platform.
I've been recommending SIP solutions for business for years. The Grandstream phones work very well when paired with Asterisk servers.
To be honest, I don't know how this news changes anything WRT Skype - its always been a closed system where the security is completely unverifyable (and the software has been designed to make discovering what its doing really hard), if you trusted it before you were an idiot.
http://blog.nexusuk.org
I am a grandfather, you insensitive clod! And I'd be happy to drop my POTS for something less 'controlled'.
New mod option wanted: -1 DrunkenRambling
I find it quite amusing, that the software that comes from creators of Kazaa, which uses the same P2P methodology that was developed to help people bypass government- and law-restrictions is now being used to spy on people.
If you're going to used Pidgin and custom plugins, what's stopping you from using XMPP instead of Skype?
You're missing the point here, the problem with Skype is that it's perceived as easy to use and it was the first popular one on the market, so it's crazily widespread. I use Jabber with my family, employees and other people whose computers I can control. I use Jabber with some technical people whose computers I do not control. But I gotta use Skype with non-technical people I can't influence about software they use.
There are some problems with a completely peer-to-peer system. I would love this to happen, so I have given it some (not much) thought..
So it would probably be slow with current tech.
Thinking a bit more about it, it would be much much simpler if yo externalized the key storage, authentication and contact list. Just have people store those things in an encrypted file, and people who want to access it from multiple computers can use Dropbox or something like that. Then for adding contacts, have a challenge/response protocol, requiring a small secret to be communicated out of band.
Two words:
Retroactive immunity.
"We are going to implement a backdoor and pray like fucking crazy hackers don't find it to pwn us".
Why do you think the they would need to find it, and why do you call US intelligence services doing industrial espionage hackers?
So, what you're saying is, you've created a giant lollipop for crackers everywhere, where they need only compromise your giant database to get millions and millions of credit cards, passwords, addresses, and more. Were I Loyds, I would not even offer a probability on this happening at some point in the near future.
*facepalms* It's like they've all been taught anti-security. MS -> "Let's ditch our push to safer, garbage collected, safe strings, randomized memory location languages, and bring back C++ with its insanity; let's design an entire OS that our customers don't want and our developer base is rebelling over; let's put giant, gaping backdoors in previously secure software because despite the NSA's insistence that they hire the best and the brightest, they are apparently incapable of discovering the security flaws that already exist, while high-school students in Eastern European countries find them for free during their lunch hours." USA -> "Let's have a cyber-war with people we've totally provoked (at this point), and which we are totally unprepared for. We will train Marines, who are taught to obey orders, to have the mindset of 31337 h@x0r$, who have a completely different, and exclusive mindset. And f*ck fixing the economy, as everything we do makes it worse (and don't use the word 'depression', use the word 'recession'). And it hasn't dawned on us that every-time we engage in nation building / swapping out other countries' governments, we end up making a new enemy. And criticizing our government's actions is a sign of disloyalty, which gets your name on the No-Fly List." Wat. I can't tell if I should be working, or getting fitted for a super-villain costume.
I am John Hurt.
It's time for the programmer community to develop easy to use, robust, strongly encrypted, point to point programs.
"easy to use" being the keyword on which Free Software has consistently been failing because it is by geeks, for geeks.
Assorted stuff I do sometimes: Lemuria.org
Traffic shaping can take care of that. Until you're off their wire, you're on the hook. There's no way around it. All you can do is hope they don't notice.
“He’s not deformed, he’s just drunk!”
Are all my friends already on Jitsi
As Jitzi just use plain standards, the correct question isn't that, but :
"Are all my friends already on SIP or XMPP/Jingle ?"
(The software component itself isn't important. As long as the software supports SIP or XMPP you can communicate with them.
As long as both software ends support ZRTP/SRTP, you can secure the communication. As long as both software ends support OTR, you can secure the text chat. Whichever software is used isn't relevant.
Jitzi is just cited because a Tor's developper did recommend it and thus brought some publicity to it. But any compliant software could be used as an example:
Jitzi (SIP, XMPP/Jabber, ZRTP/SRTP, OTR), Twinkle (phone only, so SIP, ZRTP/SRTP, but obviously no OTR), Purple-based like Pidgin and Adium (SIP/SIMPLE, XMPP/Jabber, multiple other including a wrapper for skype, OTR for text but lacks ZRTP for now), Ekiga (SIP but no ZRTP nor OTR, XMPP planed in the future), and countless others...)
Now back to the question:
"Are all my friends already on SIP or XMPP/Jingle ?"
Surprisingly: Yes, they might.
As said, Jitzi (and countless other software) use standards like SIP and XMPP.
XMPP is very popular and several systems use it under the hood (including high profile like Goolge Talk), or provide a XMPP gateway to their own chat system (several social networks, even Facebook).
Also a full XMPP implementation can route message between different XMPP networks. So you don't even need to be on the same XMPP network as long as both your servers accept to exchange message (most do, Facebook is a notorious exception).
Google's GTalk runs on plain XMPP/Jingle (they even played a part in creating the Jingle part of the standard). So any of your friends already having a google account they can use it to log into Jitzi and will see all their Google contacts in it, and start communicate with any other GTalk user, even those using the web interface (although the web interface's video/audio plugin only works on Windows, and for very obvious security reasons doesn't support encryption).
(Note: Google's own FAQ isn't up to date, for example Pidgin also supports audio/video call since version 2.6.x)
As Google implements the full XMPP protocol you can even communicate with people on other XMPP-powered networks. (You can chat using your Google Talk @gmail.com account with people having a Jabber account @jabber.org).
Another possible candidate is Facebook. Facebook also come with a huge network of contacts. And Facebook does provide a XMPP gateway to interface their own proprietary chat. Users can log with their Facebook credential into any XMPP compliant client and they will see all their facebook contact (although due to Facebook's TAG-like approach to list, the group-mode view can be messy) and can chat with them). Now for Video/Audio, the situation is slightly less bright:
- Facebook's audio/video chat web applet, only works with other user of the web applet.
- Skype audio/video call to other facebook users only works with skype (it uses only FB for chat and friend discovery, the video/audio is still handled by skype).
Now it might be possible that friends connected through the XMPP gateway may attempt to Jingle-call each other. I haven't test it yet. But if it works, their call will be segregated, as it's already the situation between Skype and Webapp users. (Currently Facebook doesn't convert and route audio/video streams between skype and webapp user, and is very unlikely to introduce it for their XMPP gateway either).
As it is only a XMPP gateway and not a full XMPP implementation, they don't provide "server federation" and you can't chat with users on other XMPP networks (a @facebook.com account can't chat with a @gmail.com account. It's limited to other Facebook users only)
do I need to
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
if you trusted it before you were an idiot.
That's a bit harsh.
Skype has ~650 million users. With Skype support in Asterisk it makes a lot cheaper to take inbound international calls, and still route Skype calls into a traditional call center. There has been some interest expressed by clients that I work with.
There is a big difference between a platform that is reputed to be P2P with strong encryption being trusted to carry communications, and a platform that is openly advertising support for backdoors with law enforcement.
As for completely unverifiable security, are you saying one would be an idiot to trust any SAAS platform that they could not dissect before hand with respect to business?
At some point some trust must be placed with 3rd party corporations, and agreements put into place, but it is quite different when that corporation is announcing something like this.
So the worst they can do is to block communication? Nice way to be told that somebody has an interest in your talk.