Slashdot Mirror
Tox, a Skype Replacement Built On 'Privacy First'
An anonymous reader writes: Rumors of back door access to Skype have plagued the communication software for the better part of a decade. Even if it's not true, Skype is owned by Microsoft, which is beholden to data requests from law enforcement. Because of these issues, a group of developers started work on Tox, which aims to rebuild the functionality of Skype with an emphasis on privacy. "The main thing the Tox team is trying to do, besides provide encryption, is create a tool that requires no central servers whatsoever—not even ones that you would host yourself. It relies on the same technology that BitTorrent uses to provide direct connections between users, so there's no central hub to snoop on or take down."
Even if it's not true [......]
Considering all the revelations that have emerged about surveillance in those ten years, the possibility that it's not true seems barely worth considering.
Seriously. Wtf nerds?
Decentralized services are a great idea, but there is one big flaw. Not enough people care about it to get a critical mass of users. Virtually everyone outside a handful of tech geeks will keep using the centralized services, so to talk to people out there in the real world, you'll need to use the centralized services too. Or, restrict yourself to these decentralized networks and find they are mostly empty, maybe several thousands of users across the whole of the world.
And good luck trying to explain to Joe/Jane Sixpack how to use them. You have to fight against the centralized data-mined services that came preinstalled on their devices, and that's a non-starter for most people.
It fails not for technical reasons. It fails because of widespread tech illiteracy in the general population.
Why reinvent the wheel, again?
---- Booth was a patriot ----
It fails not for technical reasons. It fails because of widespread tech illiteracy in the general population.
You do see what I mean, right?
It little behooves the best of us to comment on the rest of us.
OH SHIT
My IP gets exposed? Like how I've just sent it to Slashdot and the countless routers and proxies between my PC and the Slashdot servers?
You mean peer to peer, instead of relaying via a server?
Re:Oh god why.
/g/."
"Oh god, Tox still isn't even remotely ready yet, why do this?! Damn it
What part of ' A group of developers started work on Tox ' don't you understand?
"Not to mention the fact that most paranoia freaks will shit themselves when they realize your IP gets exposed to people in the same way that BT does."
What?
I don't use skype for a 'chat box.' Really, I hardly 'chat' at all anymore. Did enough of that in the late 80's to early 90's. I use skype as my long distance phone carrier. As long as I'm at home or have a wifi connection, I can call any phone in the continental US at no extra cost. This costs me about $4 a month. It's a nomadic sort of thing, I used to do it with an iPod touch, but now use an unsubscribed Android phone (the iPod touch 'for the rest of us', which even has an SD slot!). When home I make long distance calls on my desktop. We have DSL and a local landline, no long distance carrier.
So this would never replace skype for me.
Tox? What happened to BitTorrent Chat? I though the bittorrent folks themselves were making a secure decentralised chat client, it even made news on slashdot once.
You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
It's so bad, Microsoft doesn't even make it easy to kill it off. Even Scott Adams made a Dilbert cartoon about how bad it is:
http://dilbert.com/strips/comi...
'A lengthy new Guardian report claims Microsoft worked directly with the NSA by giving complete back door access to Outlook (and Hotmail), Skype and SkyDrive. The report basically says each service was easily circumvented in order to make the NSA’s job of sleuthing data incredibly easy, as if your private info was selling at a weekend garage sale. One NSA document even described the collaboration with Microsoft as a “team sport.”' ref
"So now we're proposing something even worse."
Why do you think it will be worse? Give them a chance and let's see the released version.
Who wants to meet up on Diaspora and chat about Tox?
as much good as it would serve, governments around the world, besides nefarious control-of-the-peons approach, have a legitimate need to access communications of all types their is a need to stop people who want to harm others. A centralized source allows this. A decentralized source, even taken to court under Federal judiciary orders to comply with monitoring, could not grant behind-the-scenes court-demanded snooping and could easiily be taken down (no longer developed) as the law is used to company-cave-in to security letters
Actually I've found Skype has become much more reliable since Microsoft bought them out. Video call quality is vastly improved and doesn't suffer from the call dropouts of old.
And how do you exchange key? Do they plan a web of trust à la GPG?
Hmm, interesting. It might be worth pointing out that Skype was originally based on a decentralized service pushed through the Kazaa network:
http://arxiv.org/abs/cs/041201...
Of course, the problem with the Skype system (as it was when that paper was written) is that the decentralised nature of the network means that your video call could be routed through any number of Skype network nodes (i.e. computers) before it arrives at its destination. I think now Microsoft has replaced most of the supernodes with microsoft servers, so replace "any number of Skype network nodes" with "any number of Microsoft servers".
Presumably Tox is doing something similar to going back to the roots of Skype, with maybe a bit more encryption thrown in.
Ask me about repetitive DNA
Readers of this story will have noticed the links to four of the major social media sites, including Facebook.
Since the earliest days of USENET and IRC Chat, the geek has a flawless record of making one-on-one communication over the Internet as painful a process as possible for the non-technical user.
It took the commercial services like Sype to break the spell.
"it's up to the users to give their public key to their friends in a way that it won't be intercepted in transit and replaced"
Lol. There is no security here unless you KNOW what you are doing. Not even minimal security... MITM attack can happen without issue.
It is a legitimate concern. Mocking it doesn't allay the concern.
Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
It will get popular. Get bought out by some big company who will gut it.
And then the next 'privacy first' thing will come along.
If you can come up with a way to initiate a stateful connection between two endpoints without telling each other, or a MITM, your IP, I'm sure we'd be all ears.
There are some serious Microsoft fanbois here. In no way can a Dilbert cartoon be considered flamebait.
Not much the average consumer can do about wire tap friendly products built into tame telco approved hardware and software as offered globally.
You can code a software layer into your consumer device that offers really good quality encryption.
The problem is not so much a back door, trap door, just that every letter and number entered on the device is open to hardware logging by default by a gov activated telco layer..
A person is walking around with a gps becon, live mic, camera and plain text capturing device they 'trust' due to a thin top layer of very good code?
A one time pad system, air gapped to get the message out? A user no longer has real time joy but is then only offering location, who made the message, where it went, when and all the details about the device that sent the message.
Domestic spying is now "Benign Information Gathering"
I do love the hypocrisy on Tox's web site. So they promote an alternative to Skype because of the concern of Microsoft owning it and what it could mean for privacy concerns... and yet the screenshot on display is clearly running under Windows 7.
If you're truly concerned about privacy and don't trust Skype, then by extension you don't trust Microsoft. If this is the case, how can you then trust the fucking OPERATING SYSTEM if it's made by the same people you don't trust? It's hypocritical and shows a lack of consistency in their message.
I understand that Linux doesn't suit everyone's needs, but surely they could be promoting Tox via a Linux screenshot rather than a Windows one. But what am I saying... I'm sure these folks will topple Skype anytime now.
The only way to stop your IP from being broadcast around the internet is to not use the internet.
The only way to receive a packet of data is for someone else to know your IP address. Either the entity initiating the send, or some kind of proxy along the way.
It's how the internet works.
Please explain how it's a legitimate concern and how to alleviate it.
Well garbage in, garbage out... At least the content will be encrypted, leaving only meta-data. Using a VPN can then only show a connection to your VPN and you can talk without metadata linking who your chating with.
I just hope they truly make it secure from the encryption to the authorization, so man-in-the-middle attacks or a weakness in encryption can compromise the service.
Oh Hi there, welcome to slashdot, you must be new here.
Why don't you have a quick look around, might I suggest you start with some introductory reading on issues that are considered common knowledge here. Anything with the word "Snowden" or "NSA" might be a good start.
It always seemed we could at least sandbox Skype as a limited unique user, but 4.3 requires Pulse and pulse is increasingly the de facto sound system over alsa. Correct me if I'm wrong but doesn't pulse running at the user level only allow ONE user and system-wide utilization is vehemently discouraged by the developers for SECURITY reasons? If so, it seems like Microsoft and the NSA have worked out a way to p0wn any linux box where a person has installed a working 4.3 Skype.
I guess you could still use it for chat as a unique user.
There is already a much more secure Skype Alternate. BBM. Get BBM Protected when it goes live and have military grade security. Can't believe all the Skype vulnerabilities and the icloud hack and people still love to bash the only secure platform out. BB10 and BBM.
A server in the middle that acts as a central point.
I get what you are saying, but exposing IP addresses to 3rd parties isn't typically desirable.
Case in point, I don't have your IP address. And you don't have mine.
Sure email works like that (although possibly less so in current era with gmail and such, then again maybe not), but many services don't. Sure, the service provider --- the middleman --- has access to that, but the other users don't.
A solution to a problem isn't necessarily a knee-jerk opposite solution (centralized vs. decentralized) but often some variation of an existing successful model that is slightly flawed, correcting *ONLY* the part that is flawed, not the parts of the service infrastructure that work well.
Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
remailers and nyms can do it for email. Unfortunately you get a lot of latency, sometimes added on purpose for extra security (to prevent tracking by timing) You encrypt reply blocks that have nested instructions to send the also-encrypted message along. Each server can only decrypt their own portion. With two servers between you, neither end point knows the other end point. Servers in different countries may be used in series. You can assemble such a reply block and attach it to anonymously sent emails or posts.
Some servers allow you to set up an address, and associate it with a reply block. You then have created a "nym", on a nymserver, and can give out that email address to places rather than a reply block.
An additional part can give the encrypting key to the next server, so the server which decrypts a section encrypts the messages it sends out with the next server's key routinely.
Unfortunately, to have deniability regarding a sent message, you can't send it and have it immediately appear on the other end.
As with nearly everything in life, privacy and security are not all-or-nothing, black-or-white issues - instead it is a set of trade-offs, what do you have to give up in order to get a desired result. It is at least a 2-dimensional spectrum where limiting exposure to the minimum necessary nodes versus any node that takes an interest is preferrable.
Look at it this way - most people don't have a problem giving their credit card number to a website when they make a purchase but would not find it acceptable to share their credit card number with every website they log in to.
We know by its existence that onion-routing is one way to minimize IP address exposure. It does not eliminate it, but it drastically reduces the window of exposure. That increased privacy comes at a cost, the question, as it is with all costs, is if the cost is worth it.
Just tried to install it after adding the PPA and it's missing mysterious dependencies, thus cannot be installed. Rubbish. Promotion should offer an incentive, not a host of obstructions! Back to Jitsi, cunts.
On slashdot, your IP doesnt get exposed to everyone, silly. It only gets exposed to slashdot (and routers in between if you are not using SSL). Finding your IP (and hence your location), by just your name viperidaenz, is a little bit worrying and a valid concern. If you dont find it worrying, you should start signing each of your slashdot posts with your current IP.
I don't have your IP, you don't have mine. The 3rd party in the middle does. There is a single point where all interaction with Slashdot can be intercepted.
I get what you are saying, but exposing IP addresses to 3rd parties isn't typically desirable.
What? That's exactly what you're advocating.
The flaw in the system is the central server.
Email works fine how it is, because of the requirement to store messages when recipients are offline. Yet it still doesn't suffer the problem of all messages going through a single entity. You're free to connect directly to the recipients mail server. You're not forced to go through a particular company or country.
Real time video links don't have that requirement. There is no need for a central server. All you need is some kind of directory. A DHT fills that requirement.
my experience on linux has been the exact opposite.
aka http://en.wikipedia.org/wiki/O...
Finding my IP just by my name viperidaenz requires nothing more than an NSL.
Regards,
viperidaenz
IP: 10.0.102.54
ps: there may be one or more network address translations and proxy servers in the way.
Website: tox.im
IP location: NY, NYC, Verizon Online LLC
Domain reseller: Gandi SAS, xxxxxxxxxx, Paris, France
Owner / registrant: Sean Qureshi, xxxxxxxxxxxx, Los Angeles, CA
I did a who-is lookup because what the ^shift-numbers^ does .IM stand for?
Tor.
You're.
Moron. Go back to school.
He said: or a man in the middle.
"No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
tells your ip to PRISM, which tracks the packet from hop to hop all the way through the onion and back. You think they just stumbled onto tormail's server at random?
Tox is licensed under GPL v3 which is incompatible with iOS. Brilliant idea to exclude one of the most popular mobile platforms, this will surely replace Skype.
You have to be seriously insane to even consider trying to do real time video over something akin to Bittorrent.
A few months ago, I would have agreed with you. But I've been using the PopcornTime app since then, and it reliably delivers HD streams with few if any stutters. There's no reason to believe a single (video+)voice stream wouldn't be possible using a similar approach....
Crumb's Corollary: Never bring a knife to a bun fight.
As with Tor/I2P/GPG/Gnunet/Unix/etc/etc/etc... it is superior communication, operating and privacy technology.
Thus it will only fail if YOU refuse to use it, and because YOU refuse to introduce others to it and show other people how to use it.
The GUI's and package updaters all exist for sixpack and gramps now, so you are NOT fighting them, you are fighting YOURSELF and your own EXCUSES.
vline.com
There you go again.
I would say that doesn't anonymity contribute to a healthy internet
That's exactly what you lose when you route all your communications through a single provider. You're left with pseudonymity.
There are multicast protocols, broadcast addresses and "magic packets" used to switch machines on and off. Unfortunately, those methods tend to send messages to a whole range of addresses and not just the one you intended.
Easy way to make this much more useable is to keep the current user rendezvous infrastructure, but use a layer on top for key exchange that goes through user-elected central servers.
The entire Moxie Marlinspike's trust agility thesis. Let the users choose the central entity that they trust for making the rendezvous via a plugin or a high level protocol layer - something as simple as a REST api over https. Every trust provider just has to provide an API endpoint for signing and exchanging keys.
App to user : Here is Bob's key - signed by Slashdot's server. User: screw you, slashdot got hacked twice and their web looks funnay. I trust no one that comes that way. Does Bob exist on BookFace instead ? And so on. You could also have a distributed database of trust provider endpoints along with their current , recent and overall trustworthiness rankings.
http://validator.w3.org/check?uri=http%3A%2F%2Fwww.slashdot.org Errors found while checking this document as HTML5!
And when your communications are routed through your DSL, Cable or Phone provider?
You seem to operate from the idea that communications network is separate from corporate control or government observation. But it isn't.
You can wish it were. It does not make it so.
Hence, your ideas aren't from a position of experience like you wish to believe, but rather inexperience. Which is my point.
I hope you learned something today.
Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
I discuss similar stuff with people. You have a few that don't care but you also have many that are getting wrong advice. Many were told that legally they can't highly secure their cell phones, computers, tablets, etc. Plus a few even said that to be as secure as possible will have them put under suspicion of illegal activities and they don't want that kind of attention.
I believe security is good if it accomplishes what it is intended for. But many that are not secure because for a decade they were told they were fine; "don't worry about it, you have all that you need". Now everything is turned upside down. Security is only good if it is used. Unless someone has a magic plan to get the public to use the new secure software that seems to be invented regularly for the past six to eight months, many of it may go obsolete before the first anniversary of the software arrives.
I have had the opposite experience. I have had more calls drop out for no obvious reason (network at both ends was still operational) in the last few weeks than ever before. Yay anecdotes!
It is a legitimate concern. Mocking it doesn't allay the concern.
A legitimate concern? Man! I want some of what you've been smoking, buddy!
I'd be really interested to know how one can send and receive data across the Internet without sharing your IP address with each intervening router, as well as the endpoint. I've been doing IP networking (since you're obviously rather thick, I'll explain that IP is the Internet Protocol which is the basis for all communications across the Internet. You can find out more with the TCP/IP Tutorial and the Internet Protocol Specification) for a long time, possibly since before you were born (your comments indicate that it may have been yesterday) and your IP address is critical to routing your data to and from the network node you're using at any given time.
So please, do enlighten all of us who clearly don't have your intimate knowledge of IP networking as to how we can send and receive data without sharing our IP address. I'd be much obliged.
No, no, you're not thinking; you're just being logical. --Niels Bohr
It is a legitimate concern. Mocking it doesn't allay the concern.
Oh, and I wouldn't dream of mocking your "point." I'll just mock you. You're certainly asking for it.
No, no, you're not thinking; you're just being logical. --Niels Bohr
Pipe it through a VPN
Have at it. Do it from sunrise to sunset.
And my point with be correct the entire time while you do it, regardless of whether or not you think attacking the conveyor of a correct and valid idea has merit.
Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
I'll just mock you. You're certainly asking for it.
Well yes, that's kinda the point.
Do you really think TrollstonButterbeans will object to being fed the kind of attention it's begging for?
... consists of 64 hex characters. This gives a 256 bit public key. Not very strong or am I missing something?
It doesn't have to be like this. All we need to do is make sure we keep talking.
I will be using it for sure.
That's where encryption comes in to play when routing data anonymously.
Time to go back to IPX/SPX and NetBIOS
"Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
I'd just like to point that out. Also, the various clients are a mess currently.
I think most privacy advocates are much more worried about a central server than exposing their IP address.
In fact, that's one of the selling points of Tox compared to Skype: the NSA can't simply ask Microsoft for a tap into all of your communications.
Having my conversations go through a untrusted third party is a concern every reasonable person has, whereas exposing the IP address to someone you're communicating with is less of an issue for most people (assuming well done encryption will stop any MITM attacks).
For those who care, there are already perfectly good solutions to hiding your IP, and there is no reason to think Tox won't work with it. So there you go - best of both worlds.
(and routers in between if you are not using SSL)
No I'm fairly sure SSL still exposes your IP to routers. It's only the content that's encrypted not the source.
Instead of some man in the middle proxy bullshit such as Skype we can take advantage of getting away from NAT and have point to point communications over IPv6 just like ringing a phone number.
Skype already leaks your IP anyway (both to active callers and to anyone that requests it as long as they know your username.)
It's common knowledge in live streaming that you should hide your skype username when streaming to prevent DoS attacks.
http://krebsonsecurity.com/201...
We have TOR for that.
Don't make developers implement stuff that should be handled in different layers of the communication stack. The code will only get more hairy and less secure.
If Pandora's box is destined to be opened, *I* want to be the one to open it.
It is in fact the exact approach used by Skype in many circumstances. Peer-to-peer voip is neither novel nor difficult.
The only way to stop your IP from being broadcast around the internet is to not use the internet.
Or just use Tor or a VPN. The point is to hide "your" IP address, i.e. the one that can link information back to your internet connection.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I'm curious whether Skype changed to a more centralized service primarily because of the mobile world. Skype used to be a huge connection and battery hog on phones primarily because of the decentralized nature. Skype used to send messages through that were 'pending' to a contact even when your phone was in standby, because it was constantly trying to push the message to the user.
After microsoft acquired Skype, one of the first changes was this was removed, but it made it difficult to send messages sometimes because you had to pop your phone out of standby and switch to the app for it to send messages to people who were offline at the time you sent it. It made for some strange broken conversations. Now it just goes to pending and seems to go through right away, and the drag on phone performance is minimal.
Of course, microsoft has also made some really shitty and annoying changes. I can live with and understand the whole 3-way video chat becoming a premium feature to monetize the service if they're gonna use central servers, but I can't understand the awful UI choices doing their best to remove any possibility of signing out of skype on mobile devices.
Go ahead I'm not afraid of exposing myself.
With All the Corporate Tax Inversions, perhaps Microsoft could be "bought out" by a Chinese or Middle East "Company" to avoid US Corporate Tax rates.. and Evade the Court Orders and NSA Inspection progrtams.
Balmer and Gates mentioned something like this when demanding HB-1's be raised or they would move Microsocft Headquarters to Canada less than Ten years ago.
With the recent defiance at turning over Customer Emails held in Machines on Foreign soil.. I strongly wonder if they aren't about to announce "Billions and Billions" saved by moving across the border or over seas. Although Canada might be a bit too close to avoid pressures from the US Government. Microsoft Mexico or Latin America might be more likely.
It wouild be a very popular move with Investors, who could reap massive Dividends on payouts as they Exit the US Economy and in effect repatriot their profits in a Foreign market.. and Evade the whole HB-1 issue altogether.
As a Cloud company about the only thing they could do Domestically to make things worse would be to strategically partner with say EC2 to store "some" data in the US for US Customers only.
China would certainly like to have a larger say so in Microsoft Development.. even to the Tune of developing their Countries propreitary In-house Operating Sysetm. China is in the middle of the 1990's as far as Desktop software development and "discovery" and prosecution of Microsoft for Monopolistic practices. There.. Microsoft is still in the Windows 98 soon to be Windows XP landrush. And Netscape never happened there. Its like History is playing out all over again in lock stgep with US History.
Either the entity initiating the send, or some kind of proxy along the way.
It's how the internet works.
Please explain how it's a legitimate concern and how to alleviate it.
Just because it's how the Internet works, doesn't mean it might not be a problem. There's a tin-foil hat brigade who use VPNs, after all.
Crypto analogy: the Internet works in plain-text. That doesn't mean plain-text is always appropriate.
While funny, Right-click the tray icon and select "Quit Skype" and then "OK" when it tells you that nobody can call or text you on it.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
Nope, it actually just requires your skype (or Tox) name. If you dont like your IP to be exposed, I am sure you will understand the concerns about tox/skype exposing IPs.
With SSL, they only have source and destination IP, not your username. So association between username and IP is not possible.
We need an open source solution, that can't be tracted back to a specific person.
Pier to Pier, encrypted, with no DNS dependency.
Not if your traffic was layer 2 and you mac spoofed. If the device you are communicating with is via layer 2 and had it's own IP. Others only see other devices IP.
There are many services that tackle parts of Skype's functionality, but I have yet to see one that tackles them all. Not only does Skype to chat and client-to-client video conferencing, but it also gives you access to a global POTS gateway both outgoing and inbound, and is available to customers outside of the USA. Viber, Line, WeChat, Google and tox don't have the functionality to take away Skype's business. So we remain stuck with Skype, despite their ever worsening service and dubious allegence.