Russian FSB Can Reportedly Tap Skype Calls

An anonymous reader writes "Previous reports of a Microsoft provided backdoor to Skype has been unconfirmed. However, there are now reports that Russian federal security service FSB is able to tap call and locate users. 'FSB and the Internal Affairs Ministry (MVD) have been capable to wiretap and locate Skype users for some years already, reported Vedomosti on Thursday [Google translation of Russian original]. The newspaper is citing experts on information security. "Special services have been capable for several years not only to wiretap but also to locate a Skype user. That's why, for instance, employees of our company are forbidden to discuss business-related topics on Skype," General Director of Group-IB, Ilya Sachkov, says to Vedomosti. "After Microsoft acquired Skype in May 2011, it updated the software with technology allowing legitimate wiretapping," says Maksim Emm, Director of Peak Systems.'"

Ah, the consequences of closed-source

[staltz]

The Skype P2P protocol has always been an issue to worry about. It's hard to break/understand, and I've seen research papers that just scratched the surface of the protocol.

I never doubted that really smart minds (like Russians) would eventually crack it and exploit it. This would never happen with an open-source protocol.

Re:Ah, the consequences of closed-source

[iggymanz]

no one with a smart mind cracked it, microsoft just rolled over for the russian government

Re:Ah, the consequences of closed-source

[Pi1grim]

Ofcource if I worked for FSB and was unable to tap into Skype, I'd start spreading FUD about how well I can tap into it. To make them more over to less secure means of communication.
Anyway, I hope this will lead to boost in developing a solution with good crypto. Like jingle or SIP with encyption and it's wide adoption. Not that it's happening anytime soon, but a man can dream...

Re:Ah, the consequences of closed-source

You clearly do not have an adequate understanding of how exploits or back doors work, it doesn't matter if it's open source or not, anyone can insert undetectable backdoors.

Re:Ah, the consequences of closed-source

[LordLimecat]

Since when has "knowing what youre talking about" been a requirement to post on slashdot?

Re:Ah, the consequences of closed-source

[gl4ss]

they're acting as if they were a phone company and russkies are probably asking them to comply as if they were one.. to provide taps.
and they're just locating the ip address of course. it's not like their tap is made of magic sauce.

+they would spread fud about it anyways.
the big problem with it if you're discussing sensitive things is plain and simply that it has centralized control.

SECOND OPTION: it's entirely possible the russkies are tapping them on client side. if not by other means then by bugging the headsets. that would certainly explain how they know EXACTLY where the call is taking place since they're spying the site in person. it's fsb/kgb after all.

Re:Ah, the consequences of closed-source

[benjfowler]

Microsoft regularly rolls over for the Chinese government too.

Microsoft has never met a dictator or despot they didn't like.

Re:Ah, the consequences of closed-source

[pipatron]

I think this would just move them over to more secure means of communication, not less. A stupid move. It won't be fun for them when the crooks all route their communication through a couple of global Tor nodes.

Re:Ah, the consequences of closed-source

[fustakrakich]

Microsoft has never met a dictator or despot they didn't like.

Nor has any other business approaching the size of Microsoft. In fact, nobody can get that big without 'assistance' from the authorities. Despotism is big business, the rewards are well worth the collateral damages.

Re:Ah, the consequences of closed-source

[K.+S.+Kyosuke]

Microsoft has never met a dictator or despot they didn't like.

What about Steve Jobs? *ducks*

Re:Ah, the consequences of closed-source

[sabt-pestnu]

the rewards are well worth the collateral damages. ... unless you happen to be the collateral, of course.

"If you sup with the devil you need a long spoon."

Re:Ah, the consequences of closed-source

[camperdave]

Microsoft regularly rolls over for the Chinese government too.

Microsoft has never met a dictator or despot they didn't like.

Microsoft has never met an entity with a boatload of cash they didn't like.

FTFY

Re:Ah, the consequences of closed-source

So you mean there’s a chance that it leaks and we get support for it in Jitsi, Kopete and Pidgin? Yay!

Re:Ah, the consequences of closed-source

[unixisc]

This would never happen with an open-source protocol.

Why not? If a protocol was open source, writing backdoors into it would be even easier. I mean, how many people know how to inspect code and remove the parts that are malicious?

Re:Ah, the consequences of closed-source

[SpzToid]

For the most part, at least during the Jobs era, Apple products were beyond the reach of most 3rd-worlders, so catering to despotic countries wasn't an issue. In fact, so much so, it was not part of the Apple business model. (Apple products were this justly marketed as 'aspirational', and this model is working well over the long-term for Apple).

Re:Ah, the consequences of closed-source

No, see, K. S. Kyosuke was saying that Steve Jobs was a dictator or despot that Microsoft did not like. Not that Apple had also never met a dictator or despot that they did not like.

Re:Ah, the consequences of closed-source

Why not? If a protocol was open source, writing backdoors into it would be even easier. I mean, how many people know how to inspect code and remove the parts that are malicious?

You obviously do not understand open source. If a protocol or software gets big enough that a lot of people use it, it will also get a lot of developers looking at it. If a backdoor is written in, eventually someone will find it and report/patch it.

Re:Ah, the consequences of closed-source

[Kingkaid]

As someone who has been in telecoms a while.. trust me it has been cracked for years. The difference is M$ gave a legit way to wiretap, whereas before everyone just did it improperly.

Re:Ah, the consequences of closed-source

What? THey rolled over for the Russian government? They're a company, not an idealist organization. Their purpose is to provide a product to consumers and increase the value for their shareholders, not take an ideological stance against a totalitarian government. Once you do that, you risk the survival of the company, which damages your shareholders' investments and puts at risk the jobs of your employees. As long as they're operating within the law of their host country, like not exporting sensitive technology to the Russians, they should act as a company and provide a product or service.

Expecting a company to take an ideological or political approach to issues is anathema to why a company exists in the first place. Google may do so, but as a company they're sitting on such a cash cow in their search engine business that they have the luxury to throw away billions on ideological stances, as well as stupid products (Google+) or multi-year free beta tests (Gmail).

Re:Ah, the consequences of closed-source

[Beorytis]

Much nicer AC reply than the "Whoosh!" I was expecting.

Re:Ah, the consequences of closed-source

[RabidReindeer]

This would never happen with an open-source protocol.

Why not? If a protocol was open source, writing backdoors into it would be even easier. I mean, how many people know how to inspect code and remove the parts that are malicious?

Not many, I'm sure. But even one is sufficient. And unlike closed-source, that one person may pop up any time, anywhere in the world, including places where it's not possible for interested governments to muzzle him in time to raise the alert.

One of the reasons WHY open-source is so popular is that things like that can occur, hence open-source people are more likely to pay attention to how secure the stuff they're using is. And conversely, paranoid people will prefer open-source.

The best time to worry about security is before you need to. Afterwards, it may be too late.

Re:Ah, the consequences of closed-source

[Luckyo]

They're not caring all that much about medium sized crime syndicates that can afford to channel their stuff through TOR. There are different methods to get those.

Spying on skype is about spying on big and small players who use it, such as large international conglomerates, as well as very small people who have no access to technical expertise necessary for TOR.

You're essentially making the infamous wrench mistake in assuming that technological problems and solutions are the only ones that exist in the world of security, when they are but the small part of the whole.

Re:Ah, the consequences of closed-source

[Samantha+Wright]

Leave Microsoft's customers out of this!

Re:Ah, the consequences of closed-source

[bruce_the_loon]

Yeah, MS rolled over for the Russian government six years before they bought Skype. Good future planning on Balmer's part.

The reading comprehension skills here astound me.

Re:Ah, the consequences of closed-source

Apparently, Microsoft changed the way certificates are generated in a software patch shortly after taking over Skype. It used to be the case that certificates where generated locally on the client. They changed that to centrally generated certificates on MS servers which should enable them to sell(?) the ability to tap Skype calls.

Would anyone happen to know if you could somehow override that?

Re:Ah, the consequences of closed-source

[rastos1]

it will also get a lot of developers looking at it.

Sometimes I stare at some code for hours, debug it and still have no idea how it works. And I wrote it.

Re:Ah, the consequences of closed-source

Yeah, MS rolled over for the Russian government six years before they bought Skype. Good future planning on Balmer's part.

The reading comprehension skills here astound me.

Reading comprehension by definition requires one to actually read, which around here is a bad assumption to make. Most posts these days don't get farther than the headline, let alone the summary, and as for the actual article... good luck getting that to happen.

Re:Ah, the consequences of closed-source

I call bullshit - citation and not this nebulous claim by the Russians...

Re:Ah, the consequences of closed-source

Ding Ding Ding! Skype uses solid crypto for comms and anyone who has seriously studied the damned thing knows that. Lesser crypto for traffic management maybe. If it was this easy to crack then it would've been done and published by any one of the dozens of folks who have looked into it. Micro$soft may be providing backdoors now but prior? No way. This is FUD by the Russians.

Re:Ah, the consequences of closed-source

Endpoint tap? sure! Nothing new there, hell I think there's been multiple stories about various Governments doing this in the past. But tapping the encrypted stream without being on an endpoint? No way unless Microsoft has changed things in a huge way and I don't think that's the case other than moving the central nodes into their cloud. Those nodes did nothing for the P2P crypto of the comms.

Re:Ah, the consequences of closed-source

Define "undetectable backdoor": Do you mean not able to be detected when in use, or not able to be detected when looking at the source?

Re:Ah, the consequences of closed-source

[mikechant]

You obviously do not understand open source. If a protocol or software gets big enough that a lot of people use it, it will also get a lot of developers looking at it. If a backdoor is written in, eventually someone will find it and report/patch it.

And further to that, there will also typically be a handful of uber-devs who get to accept or reject patches - getting a rogue patch past one of these people, who know the code better than anyone in the entire world, is going to be near impossible.

Re:Ah, the consequences of closed-source

[BigLonn]

posibly true, also food for thought, so is there skype replacement? Anyone??

Re:Ah, the consequences of closed-source

[ufoolme]

Serious journalists stopped using Skype around the time of Arab spring, I always took this to mean it had already been easily broken. Think about it this way, if you control the network that's one thing, if you control the isp that's another level with lots of options but now if you control the entire countries infrastructures that is a completely different ball game. I wonder how well blackberry runs in Russia.

A reminder.

Soviet Union was disbanded in the 90's

Re:A reminder.

[Rosco+P.+Coltrane]

Oh yeah, because Russia today is so much more desirable and has completely stopped all its spying activities.

Re:A reminder.

[RabidReindeer]

Soviet Union was disbanded in the 90's

And????

Russia still remains. The KGB is now the FSB. Russia is more open, but it's still not the USA.

And speaking of the USA, you do realize that Project Echelon and similar efforts have been busily tapping into communications in the Land of the Free for longer than there was a Skype?

Re:A reminder.

[Nerdfest]

You speak of the US as if they wouldn't do exactly the same thing (and almost certainly are). This is why there should be an open implementation that supports proper security.

Re:A reminder.

[isopropanol]

http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol

Re:A reminder.

[Nerdfest]

... and I'll throw this out there as well.

Re:A reminder.

[PPH]

"The greatest trick the Devil ever pulled was convincing the world he didn't exist." -- Keyser Soze

Re:A reminder.

Your government would NEVER LIE TO YOU!

The denial is strong in this one.

Re:A reminder.

[moeinvt]

Nobody can possibly be this ignorant. Are you a paid government troll by any chance?

Project echelon has been widely reported on by a number of mainstream news sources. Do you think CBS news qualifies as a bastion of "tinfoil hattery"?

http://www.cbsnews.com/8301-18560_162-164651.html

The Church committee hearings in the late 1970s revealed extensive details about the multi-decade long MK Ultra program, including a trove of 20,000 related documents. Do Congressional hearings not count as "official reports"? It was also revealed that thousands of other documents related to the program had been destroyed.

Are you so brainwashed on the government Kool Aid that you can't even exercise your critical thinking skills and make a cursory examination of widely available and mostly undisputed evidence?

If you're so naive as to believe the absurdities published in official government reports, go stick your nose up a bureaucrat's ass. I'm sure it will smell like a rose garden to you.

Re:A reminder.

No, just a moron from 4chan.

Re:A reminder.

[EvilSS]

"And speaking of the USA, you do realize that Project Echelon and similar efforts have been busily tapping into communications in the Land of the Free for longer than there was a Skype?"

Re:A reminder.

they have more to fear us than us for them

Re:A reminder.

[Sardaukar86]

"The greatest trick the Devil ever pulled was convincing the world he didn't exist." -- Keyser Soze

Damn that Keyser Soze, it's obviously him we have to thank for that bloody phrase. Always, the mind of man seeks to dominate and enslave through whatever means possible.

Re:A reminder.

Feb 10th 2013's yer last post. Took ya that long to "eat yer words" http://it.slashdot.org/comments.pl?sid=3417867&cid=42756893 eh, after this here http://slashdot.org/comments.pl?sid=3427183&cid=42849825 ? Hahahaha.

Re:A reminder.

[Sardaukar86]

Feb 10th 2013's yer last post. Took ya that long to "eat yer words" http://it.slashdot.org/comments.pl?sid=3417867&cid=42756893 eh, after this here http://slashdot.org/comments.pl?sid=3427183&cid=42849825 ? Hahahaha.

Hi there, clue-free stalking APK chatbot! Pleased to see you're back in action.

You do have an interesting obsession though. You spend a lot of effort and try very hard indeed to prove that people 'eat their words' when arguing with you.

You'll never prove anyone a 'beaten opponent', because you cannot rebut a logical argument. Your opponents soon realise there's no value in debating with fools - especially those that mindlessly post lists by way of argument - and move on to more interesting things. To my great amusement, you seem to deal with this differently, instead hanging on to the issue like a little stone baby stuck somewhere deep inside your vagina.

Closed source. Closed standards

[Albanach]

And therein we learn the lesson about closed source software and proprietary methods. If folk had adopted something based on SIP, XMPP, IAX or any other open and documented protocol, we'd be able to communicate using a tried and tested security mechanism.

For something like communications, if you're totally and absolutely reliant upon a third party then you also need to have total and absolute trust in that third party or you should consider all your communications using them to be public.

Re:Closed source. Closed standards

[Technician]

SIP is end to end P-P once a connection is established.

If you need to hide your IP for a Skype session, use a SIP to Skype gateway.

http://www.dslreports.com/forum/r26518054-SIP-to-Skype-Skype-to-SIP-new-method

If I Skype you, my IP will resolve to the gateway address. Skype me at skype2ipp, then enter my user name when prompted.

Re:Closed source. Closed standards

[Pi1grim]

If only anybody made that stack of rawhide software, frameworks and standarts into usable software...
I mean I can set up a xmpp client with OTR or GPG encryption, haven't tried doing that with SIP, but take Skype users. For most of them comprehencing what needs to be done is akin to building a fusion reactor out of household items...
As for the corporations: all of them gladly uses XMPP standart for their own ends, but only Google bothered to abandon the walled garden ideology and enabled XMPP federation on their servers. Don't see Facebook or MS playing ball on that field. Facebook is even trying to "embrace, extend, extinguish" the email system, so there is very little hope in them enabling XMPP federation.

Re:Closed source. Closed standards

[Technician]

Encrypted SIP may be more secure, but does nothing to hide your IP address. A recently mentioned encrypted SIP client is Jitsi.
https://jitsi.org/
Not sure if it if capturing keys for a man in the middle attack is difficult. A MIM attack by Russia should only be possible when crossing a Russian server. US and Carnivor abilities is unknown.

Re:Closed source. Closed standards

[elucido]

Even if it were open source it could still be tapped. Just maybe not as easily.

Re:Closed source. Closed standards

[mjwalshe]

And the the government TLA (FSB in this case) says ok phone company "gime" wit more or less Judaical oversight dependent on your country - its part of the deal of being a phone company.

How shocking!

[Rosco+P.+Coltrane]

Closed source software with obscure network protocol, now owned by a corporation whose main concern isn't the users' best interest, turns out to be not so nice after all. News at 10...

The best way to do use Skype for anything more important than saying hello to your grandmother for free on the internet is not to use Skype. Everybody with half a brain has known that for many years.Duh...

OMG, you can tap data sent over a wire

[alen]

shouldn't be too hard to trace all packets coming out of an ISP's network in Russia and decode them? or at least decode enough packets for part of a call

and how many fiber connections go into russia from foreign countries? for all we know the FSB has tapped them all and is reading all the data
the NSA was doing something like this a decade ago with Narus appliances

Re:OMG, you can tap data sent over a wire

You say "decode" as though it is trivial.

You should read up a bit on encryption.

Russian Front Side Bus?

Am I the only one who mentally interpreted the headline as: "Russian Front Side Bus Can Reportedly Tap Skype Calls"?

Re:Russian Front Side Bus?

[houghi]

Yes.

Re:Russian Front Side Bus?

[VoidCrow]

No ^^

Re:Russian Front Side Bus?

[SpzToid]

Uncertain. I suggest you check your power source, and reboot just to be sure. o|o

Maybe they should tell the French?

[Eunuchswear]

Would save a lot of trouble.

so?

Great they can tap an IP phone call on Skype. I guess they'll be up on all the gossip at the local middle school! What a travesty.

Re:so?

[Dr_Barnowl]

People do use Skype for business reasons. Skype sells products for business reasons. I use Skype for business reasons (but my business is basically public knowledge anyway, so no need to steal it). Does the business version come without the back door? Didn't think so.

One of the major sticking points with ECHELON for many was not that it was used to spy on middle school gossip, but that it was used to pass corporate intelligence to favoured "partners of the state".

It's only a matter of time before the back door itself becomes one of those pieces of intelligence as well.

Re:so?

[Kalriath]

It also means the FSB has access to the largest porn collection in the world, and they aren't sharing.

Why?

[mrbill1234]

Why would someone with something to hide use Skype?

Seriously - if you've got something to hide, use something to which you have the source and can control the encryption used.

Re:Why?

[Xemu]

Why would someone with something to hide use Skype?

Seriously - if you've got something to hide, use something to which you have the source and can control the encryption used.

or use skype steganography

http://www.economist.com/news/science-and-technology/21571120-tinkering-skype-can-allow-people-send-undetectable-messages-speaking

Re:Why?

[AHuxley]

Think of a person doing work in another part of the world with security clearance back home.
They use encryption for work, are very secure in all their data handling at home and clean when travelling.
That person becomes a target of the CIA, FSB, MI6...
Personal calls might give insight into life outside marriage/work ...that extra person sharing deepest desires and needs/wants/weaknesses/faith/cult.
Drugs, debt, stress, parties, music, hobbies, lifestyle failures/happiness, addictions to a type of adult material..
Over time the person of interest makes a "new" amazing friend, when alone they get a deal - sell out and stay safe or be exposed.

Special services

[ls671]

Special services have been capable for several years not only to wiretap but also to locate a Skype user.

Special services have been capable for several years not only to wiretap but also to locate cellular phone and landline users.

Re:Special services

Special services have been capable for several decades not only to wiretap but also to locate cellular phone and landline users.

Fixed it for ya.

Jitsi

[Hatta]

Jitsi provides ZRTP encrypted voice chat. It's free, open source, and cross platform. Why use Skype?

Re:Jitsi

[LordLimecat]

Because everyone else uses skype.

People who dont get this are the same people who dont understand why facebook is more popular than Diaspora.

Re:Jitsi

One reason is that supposedly their landline connection is cleaner/more legit. This is BS, of course -- ever since(or before) Microsoft inserted buggy back doors, you could hear other people's conversations on cellphones.

Another reason (a business reason) is a clear chain of liability, to a company you could sue.

Re:Jitsi

Peer pressure. Sure, I get it. I don't use Skype. I've been asked by friends and coworkers, "do you Skype?" (because they want to video chat). I tell them no, but I would be happy to join a Google+ hangout. Facebook? Yeah, I have an account - haven't used it in forever. You really can resist the peer pressure to use skype and facebook (or, to cover them all, MyTwitFace+) unless you have one of these situations like my daughter has where her university program requires her to use FB. Otherwise, just don't use them. Why the hell would I want a Skype account?

Re:Jitsi

[Hatta]

There are two people in every conversation. If one uses Jitsi and one uses Skype, why should they settle on the insecure option?

Re:Jitsi

[alen]

yeah, because google puts your data into al bore's social security lockbox and won't ever use it for marketing

Re:Jitsi

[dkf]

Why the hell would I want a Skype account?

Because otherwise people won't talk to you. That's nice at first (very nice!) but after a while it leads to you not getting paid any more, which is very much not nice. The issue? People who communicate are better at making contacts and better at winning business. Over the longer term, this is a very important effect.

But at least there's one thing. If the FSB listen into my skype conversations, the joke will be on them. In particular, those meetings are so incredibly boring that they'll lose the will to live! (It's bad enough for me, and I'm supposed to be interested in what's going on in them.)

Re:Jitsi

[dkf]

If one uses Jitsi and one uses Skype, why should they settle on the insecure option?

They'll choose Skype because that's the one that the person who isn't a tech expert already has working. Unless you're really keen on doing more free tech support...

Re:Jitsi

[Hatta]

If it's anything remotely important, a little tech support is a small price to pay for security.

Re:Jitsi

[bill_mcgonigle]

aka "The Path to Idiocracy". It's true, though, and it should be an object lesson that technically sound software needs to be trivially easy to install and configure as well if it's to do much societal good.

Re:Jitsi

- Like most FOSSturd programs its got a stupid fucking name. Jitsi? Sounds like a style of martial arts. The homepage says it's Bulgarian and "sounded cool". If someone came up to me and said, "Hey, I use Jitsi. You should use it too!", I'd kick them in the dick and find a better friend.

- Written in Java. Nuff' said.

- No mobile client.

- Recommended by well-known Slashdot troll "Hatta".

Re:Jitsi

Why the hell would I want a Skype account?

Because otherwise people won't talk to you. That's nice at first (very nice!) but after a while it leads to you not getting paid any more, which is very much not nice.

OK, so apparently there are a couple of people out there whose jobs depend on Skype. Why would any of the rest of us want a Skype account?

Re:Jitsi

All commercial software out there, but especially anything from Microsoft, disclaims any legal liability.
What plaintiff ever won a lawsuit over buggy software?

Re:Jitsi

[LordLimecat]

You wouldnt, if you have noone you care about talking to. If you do, you can either use skype, or accept the fact that you arent going to convince them to use Jitsi.

Re:Jitsi

[LordLimecat]

Its not idiocracy, it just seems that way because youre technically minded.

Just the other day I was trying to answer several questions about hacking, viruses, computer security, etc for a family member, and I realized (for the millionth time) just how hard it is to convey the framework that a non-techie would need in order to begin understanding a lot of this stuff.

And in order for everyone to decide to use a more secure option, everyone needs to realize that the current option is really really bad and what the better option is. Getting that information out to a wide userbase there takes a TON of work.

Re:Jitsi

Because Skype is such a beautiful, intelligent, patriotic, minty, cromulent name.

Re:Jitsi

and has a mobile client, is on lots of hardware devices, and just works?

Re:Jitsi

[riondluz]

Agreed. And a working solution might be to consider trading the issue of net-neutrality w/the telcos in exchange for them allowing end-users to run their own servers/services.

This way everyone can have their own XMPP and give accounts to those they want to 'talk' to.
Installing something like "Deb-Secure", end-users could run their own 'face-book' webapps and have fine-grained controls over what gets shared - no advertising; and over SSL/TLS - less DPI.

Decentralization has always been found to be a good antidote to most problems in computing and communication - my .02

Re:Jitsi

[riondluz]

As I've posted elsewhere, and advocated forever, the 1st distro to offer a combined client/server platform that runs only with encryption (gpg), TSL/SSL, etc... will win the day.
Non-techies won't have to know all the details of why their home machines are safer; only that they are using the best security has to offer.
With easy-2-use gui's for configuration of their services/servers and a dydns addresss, they would have complete granularity over what they share and how.
Nice pipe dream of mine.

Re:Jitsi

[LordLimecat]

Using GPG requires others who have GPG keys that are integrated with your keychain. That takes work. You also need to educate the userbase on how to differentiate unsigned, signed, and tampered with email. Ditto SSL.

As always, the hardest problems in computing are the human ones.

Well, for completeness.

MS Russia denies allegations

Re:Well, for completeness.

[fustakrakich]

Nothing confirms a story like an official denial.

Big Whoop

So Russia, like the US and other Western countries, mandate that telecommunications hardware and software allow for wiretapping, or, as it is known internationally, Lawful Intercept

good

arlet's hear them about my dutch conversations, you know, about the cat coming out of the sleeve, and that it is baconslippery over here. we better called the roadwait.

It's "of" not "to"...

"Special services have been capable for several years not only to wiretap but also to locate a Skype user."

"not only OF wiretapping but also of locating" etc.

What's happened to Americans' grammar?

"Bob is capable OF fixing a PC" not
"Bob is capable TO fix a PC".

Re:It's "of" not "to"...

[pipatron]

In Soviet Russia, American grammar... does not apply. Or something like that.

Re:It's "of" not "to"...

TFS says your nit was from Google Translate.

caveat emptor

[snarkh]

This is a report in a newspaper citing unspecified sources. Moreover, it is in FSB's interest to have people believe that they are more capable/powerful then they really are. A large grain of salt is definitely in order.

Re:caveat emptor

[mikechant]

Moreover, it is in FSB's interest to have people believe that they are more capable/powerful then they really are.

You don't state why, but I'm guessing for intimidation/control purposes. Which is certainly a point.

However:
It is also in the FSB's interest to have people underestimate their powers so they will be incautious, using systems they believe are secure which the FSB can crack..

It is also in the FSB's interest to have people have a roughly correct idea of their capabilities, because when their real capabilities leak out (as is fairly inevitable), people will neither be horribly shocked at their intrusiveness or surprised as to how weak their capabilities are, so they will avoid unwanted criticism and attention.

Re:caveat emptor

[snarkh]

> You don't state why, but I'm guessing for intimidation/control purposes.

Correct.

> It is also in the FSB's interest to have people underestimate their powers so they will be incautious, using systems they believe are secure which the FSB can crack.

I doubt it. Perhaps for NSA it is true, but most of FSB's power is based on raw force and intimidation, not any particular competence.

And people who are really serious about security would use more secure systems in any case.

Next!

[Impy+the+Impiuos+Imp]

This is why the anti-trust watchdogs have backed off in the US -- MS agreed to build in backdoors for spying in its OS.

I had suspected it, but proof was hard to come by.

I predict antitrust problems for Google Chrome/Android products in a few years.

Re:Next!

[ebno-10db]

I predict antitrust problems for Google Chrome/Android products in a few years.

Nah, they've already rolled over. It's not a violation of "do no evil" to piss on the Constitution as long as the Government tells you it's ok.

Re:Next!

It's truly a shame you have no idea how full of shit you are. Ask any vendor selling exploits who their customers are...

Rather the FSB than the NSA

[ebno-10db]

As an American I'm less bothered about the FSB doing it that than the NSA. Seriously, for my personal stuff, what does the FSB care? I'm much more concerned about the NSA (and if it can be done, I'm sure they are). For similar reasons I use Kaspersky on my personal computers. The FSB doesn't care about my bank account or the web sites I visit. The NSA/CIA/FBI maybe another story. Not that I'm terribly interesting, but having once looked at a web site that was slightly to the left of the Democratic party, I'm probably on some automated terrorist watchlist somewhere.

Re:Rather the FSB than the NSA

[mjwalshe]

You know Kaspersky is best buds with FSB. If you have interesting tastes in websites and have high security I am sure they would consider using that as leverage to get you to act as an agent for them.

Re:Rather the FSB than the NSA

[ebno-10db]

You know Kaspersky is best buds with FSB.

My point exactly - if I'm going to be spied on I'd rather have it be done by some outfit that has no real interest in me and no real power over me. I also "trust" them in the sense that I doubt they're going to mess w/ my bank account or something (unless they're doing charity and want to make a deposit).

If you have interesting tastes in websites and have high security I am sure they would consider using that as leverage to get you to act as an agent for them.

True, but I have no security clearance and the most interesting website I read is Slashdot. Now that's sad.

Re:Rather the FSB than the NSA

[mjwalshe]

so a nice clean skin to act as a courier then :-)

A solution?

[spacemky]

How could we guarantee no spying or eavesdropping via Skype? I think some sort of scrambling/de-scrambling/encryption program that sits at both ends of the Skype connection would do the trick. I'm surprised nothing like this already exists.

Re:A solution?

[characterZer0]

If you are willing to go through that trouble, just use something else.

Re:A solution?

[Mike+Frett]

Exactly, and if you are using Windows then what is the point of making Skype 'secure' when it runs on an unsecured platform. Did everyones _NSAKEY Marble fall out of their memory?.

Re:A solution?

Did everyones _NSAKEY Marble fall out of their memory?.

There's no real evidence that NSAKEY was *FOR USE BY* the NSA.

I thought I read right here

[doug141]

That the whole point of microsoft centralizing the skype servers after they bought it was to allow gov't taps.

I'm not sure if this has been asked already

But can they tap a call that doesn't origin or terminate in Russia? i.e a call from the USA to the UK or anywhere else in the EU.

Hmmmm

[DaMattster]

Even more reason not to use Skype. Use an open source app like Jitsi. It does the same thing as Skype but is open source.

WTF? Why is this actually news?

I do care that the russians can intercpet it... but...

It leaked at least as early as 2008, if not sooner that the Germans were intercepting Skype.

Who cares that the FSB can also.

Seriously? Why is this news again? Did everyone fucking forget?

Did you forget that MSFT acquired it since then and would have been required by law to build the capability in if it wasn't there already?

"Reportedly". Bullshit. It's as good as confirmed other people have the capability, and if you're using skype for anything where you have mission critical privacy needs, you're a damned idiot.

sATELLITES

Just use satellite scramble phones, that is our militarys preferred option

So can the FBI

[elucido]

Is this supposed to be a big surprise or big deal? It's not to anyone who knows about information security.

Skype won't have to register as a telco in France

France can just outsource it's tapping warrants to the Russian FSB

I wonder..

[Adult+film+producer]

if there is an audible clicking noise when they intercept a call in progress...

Alternative motive

Am I the only one who searched for these company names and 'voip' and get results? Seems like the people quoted have a reason to want to make people scared of using Skype. Not saying anyone is right or wrong, but this just seems like rumor spreading.

legitimate wiretaps???

Í dont think there is such a thing. Certainly this is in the eye of the beholder.

Simple Black bag job: Skype, Google, *all* of them

[TheRealHocusLocus]

The strength of session keys does not matter. Forget difficulty of proprietary protocol reverse engineering, it is child's play.

Key negotiation is where the gold is, and there is only one real security wall that exists today among symmetric security systems: the Public Key Infrastructures with their strong prime factorization wall.

There are no other walls, only hurdles.

If someone were to pass along one little flash drive with the Certificate Authority chain signing and actual operating SSL private keys to NSA, FSB, whomever, Skype security becomes invisible. Same goes for the private keys for Google, others' SSL certs used for webmail/simap/spop3.

And I'm not talking about some dramatic ninja mission impossible burglary either. Suppose Skype, Google, et cetera were merely threatened with something awful, unthinkable --- unless they comply and hand over the keys. Once they do the pressure is off and everyone can go back to pretending everything is secure. And there are no direct corporate liabilities.

Ain't no free security lunch. Only true security that could ever exist is point-to-point between trusting individuals who have exchanged keys in person.

Re:WTF? Why is this actually news?

Yes, the Germas were putting malware on endpoints to listen in on conversations. That's a good bit like tapping a phone but much different than intercepting traffic on the fly and cracking it's crypto. No way is Russia whacking the crypto as easily as this claims.

Re:Simple Black bag job: Skype, Google, *all* of t

What you're saying has a great deal of truth to it if it were done but Skype doesn't use SSL for any of it's communications so I think you can rule that one out...

Eatin yer words != good nutrition, fool!

How'd eatin yer words taste http://it.slashdot.org/comments.pl?sid=3417867&cid=42756893 , hmmm? Hahahaha.

Must have tasted pretty bad, considering they were spiced with YER FOOT IN YER MOUTH, lol, and then to top that off, ya also "washed 'em down" with "the bitter taste of SELF-DEFEAT" too, lmao!

(Took ya more than an entire month to eat 'em too, considering ya haven't posted on slashdot since 2/10/2013. Eating yer words != GOOD nutrition, fool. ROTFLMAO!!!)

Re:Eatin yer words != good nutrition, fool!

[Sardaukar86]

Thanks for illustrating my point for me. :-)

Ya didn't answer the question troll

How'd yer words taste http://it.slashdot.org/comments.pl?sid=3417867&cid=42756893 since you had to 'eat them', troll?

Your point's what? That you're a fool that had to eat his words?? You made your point in having to eat your words in that link above, hahahaha.

You avoid answering how your words tasted too. Gosh, why's that, troll? We know why, rotflmao.

Additionally, your post history shows you stalked apk for weeks, and you have the nerve to deny that???

LMAO. You are stupid, aren't you???? Your own bs gives you away from your post history!

Re:Ya didn't answer the question troll

[Sardaukar86]

Hahhahahahahahaa keep making my argument for me, you sad old manchild.

Re:Ya didn't answer the question troll

Ya made his point n' ended up eatin yer words here http://it.slashdot.org/comments.pl?sid=3417867&cid=42756893 versus 250 other slashdotters' contrary opinions to yers. Ya failed: Accept it. Yer post history shows yer profanity laden replies in geek angst retaliation, but with ya also strangely avoiding telling us how yer words tasted (lol) since ya had to eat them, as well as yer stalking apk for weeks here also which yer post history shows too, albeit to no avail, since you had to eat your words. Ya fail troll, reverting to all you understand how to do: Toss more names in effete retaliation for your own fail. Illogical and invalid as usual on your part.

Re:Ya didn't answer the question troll

[Sardaukar86]

Blah blah blah, obvious APK post is obvious, blah blah blah.

skype is listening

[peawormsworth]

Skype is an eavesdropping service. Im sure all users of it should know that. So what if the FSB can listen in. The bigger news is that Microsoft is tapping all your Skype calls... all the time. The encryption option has nothing to do with Microsofts ability to record everything. And why shouldnt they? Its a great way to build a valuable database of our most private moments. Skype is not regulated by telephone privacy protections laws the way a regular phone provider is. This is why some countries in the EU are trying to force Skype to register as a telephone service... to protect the people (somewhat). Clearly, if your using skype and assuming that there is any level of privacy like you get from regular telephones... you have not read the EULA and terms of service. Or not even bothered to read about the company on wikipedia.

ZRTP

[DrYak]

Like jingle or SIP with encyption and it's wide adoption. Not that it's happening anytime soon, but a man can dream...

Jingle and SIP with encryption is called ZRTP (it's just adding an encryption layer over the usual RTP channels used for voice/video chat). And is already supported in several software out-of-the-box (like Jitsi which if often talked about here. But also Twinkle, and others).

For message, you have Off-The-Record, which works above almost any messaging channel. It's also supported by serveral software package out-of-the-box (Jitsi again, or Adium) or with a plugin (Pidgin).

These are technologies which exist RIGHT NOW, that you can START USING TODAY, and using your EXISTING XMPP and SIP accounts.

(Well, for obvious reason ZRTP is useless with SIP-to-PTSN gateways as the encryption last only to the gateway, not to the end-point.
And ZRTP is useless with Facebook's XMPP gateway, as they don't support Jingle video/voice chat, but use a Skype plugin instead. But you can still use OTR: both endpoint will be able to chat to each other, while the thing which ends in facebooks servers looks like encrypter crap.
But for anything else it's already doable).

Not FUD, in EULA

[DrYak]

Micro$soft may be providing backdoors now but prior? No way. This is FUD by the Russians.

That's not FUD. Skype's EULA has been clear about it since even before being acquired by Microsoft.
(Or at least it was back when I looked at it)

They will comply with local legal requirement, including investigation assisting.

For me that sounds that back-doors have always been a possibility should they be legally required to include them.