Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tox, a Skype Replacement Built On 'Privacy First'

Posted by Soulskill on from the pet-rock-also-built-on-privacy-first dept.

An anonymous reader writes: Rumors of back door access to Skype have plagued the communication software for the better part of a decade. Even if it's not true, Skype is owned by Microsoft, which is beholden to data requests from law enforcement. Because of these issues, a group of developers started work on Tox, which aims to rebuild the functionality of Skype with an emphasis on privacy. "The main thing the Tox team is trying to do, besides provide encryption, is create a tool that requires no central servers whatsoever—not even ones that you would host yourself. It relies on the same technology that BitTorrent uses to provide direct connections between users, so there's no central hub to snoop on or take down."

104 of 174 comments (clear)

  1. Back door by WillKemp · · Score: 2

    Even if it's not true [......]

    Considering all the revelations that have emerged about surveillance in those ten years, the possibility that it's not true seems barely worth considering.

    1. Re:Back door by Anonymous Coward · · Score: 1

      The idea of backdoors is just convoluted and pointless, it's often a way of perpetuating some illusion of shady corporate and government collusion. Oddly enough the product is used by many different governments and other corporations across the globe so I've never quite understood who the supposed conspirators are - though it is often Microsoft and the US government while the rest of the world are bumbling fools living in ignorance, but these people who tell us all about these back doors (except what they are, how they work, if they exist and how to access them) are the real informed ones that know the truth.

      The more knowledgeable of us know you could easily prove it out with traffic analysis if they *did* exist yet it remains the domain of unsubstantiated and often bizarre conspiracy theorists. The fact is it is unnecessary because trapping the traffic as it goes over the public net is a much more clandestine approach and does not require specific interfaces in every bit of software for it to work.

      I enjoy the conspiracy theories to a point but I have always found it odd that while one group of extremists portrays corporations like Microsoft, Apple, Google, HP, IBM, and others as bumbling idiots when it comes to security while the other end of the scale argues that they are incredibly competent criminal masterminds to the point that they have these secret backdoors into every system that nobody knows about and nobody on the inside has ever leaked out. Both groups argue against the more level-headed groups but never against eachother ... strange.

    2. Re:Back door by AHuxley · · Score: 4, Interesting

      AC the backdoor aspect is both national and international
      "FBI Wants Backdoors in Facebook, Skype and Instant Messaging"
      http://www.wired.com/2012/05/f...
      ".... drafted by the FBI, that would require social-networking sites and VoIP, instant messaging and e-mail providers to alter their code to make their products wiretap-friendly."
      Then the world was given more details "Encrypted or not, Skype communications prove Ãoevitalà to NSA surveillance" May 14 2014
      http://arstechnica.com/securit...
      As for the "nobody on the inside has ever leaked out." aspect try http://cryptome.org/2013-info/...
      The "inside" can now be understood by aspects like "Drug Agents Use Vast Phone Trove, Eclipsing N.S.A.Ã(TM)s"
      http://www.nytimes.com/2013/09...
      ..."employees sit alongside Drug Enforcement Administration agents and local detectives and supply them with the phone data from as far back as 1987."
      How past "parallel construction" and telco support will respond to any new "peer-to-peer and voice calling" will be interesting.
      How did the US and UK get to past bespoke crypto telco hardware in the 1950's and beyond? Plain text always seemed to emerge just in time.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:Back door by Mister+Liberty · · Score: 1

      Leaving the conspiracy theories aside (indeed, who needs them, except strawman erectors) -- tell me, do you think for instance there were some average Janes and Joes that got rather a bad wrap, undeservedly so, during the housing and banking crises the other day?

    4. Re: Back door by Anonymous Coward · · Score: 2, Interesting

      If you send traffic to a central server, and if the traffic is unencrypted OR is encrypted by a key you don't control then monitoring your traffic without you being to prove it is absolutely possible.

      You *always* send data to servers you dont control when you transmit data over the public net, everybody already knows that and anybody that assumed any sort of privacy when transmitting data over a public network is a deluded fool, clearly you are in that category.

      I suppose to you that means it doesn't exist.

      No I am talking about backdoors in client side software (in things like windows and osx, the kind that has been perpetuated for years without any actual proof) because you do not *need* backdoors in server software when you have a dragnet that can capture masses of public traffic. It may make it easier but it is by no means necessary.

      I've been watching the antics of you corporate apologists and law enforcement worshippers for some time now. You'd almost be funny if your attitudes weren't so poisonous to a free society.

      No I am just not using fear of mass surveillance to push an agenda of free software. The problem with people like you is you are trying to lull people into a false sense of security by advocating privacy and openness while ignoring that software like this is not the answer (didnt work out too well for Tor now did it?). If what you are genuinely after is a free society then you already know that free software and data encryption are a stupid place to start because you're always the next zero day vulnerability or a compromised public server away from malicious parties intercepting your data. I am not entirely sure if your position is through ignorance or malice but either way trying to convince people that software like this will lead to a free society is utter stupidity of the highest order or deviously malicious at the other end.

      Free software and private communications are a side-effect of a free society, they are in no way capable of creating a free society because they can be compromized and the networks on which they operate can be compromized.

    5. Re:Back door by wiredlogic · · Score: 2

      Of course it's backdoored. The only reason why eBay bought Skype is to cross-correlate with PayPal accounts in exchange for taking the heat off threats of banking regulation.

      --
      I am becoming gerund, destroyer of verbs.
    6. Re: Back door by magamiako1 · · Score: 1

      I wish you'd post as a logged-in user, your comments are some of the only intelligent ones in this thread.

    7. Re: Back door by unrtst · · Score: 1

      Wish I had mod points for ya (or that you had logged in)

    8. Re:Back door by LordLimecat · · Score: 1

      Hows this.

      We know-- for a fact-- that Skype has worked with the Chinese government to provide bugged versions of skype (TOM Skype). We know-- for a fact-- that Microsoft has access to provide call logs for law enforcement, on demand.

      Call it what you like, but both of those are well documented and can be found in a 5 minute google search.

  2. it's a great idea with one major flaw by Anonymous Coward · · Score: 5, Insightful

    Decentralized services are a great idea, but there is one big flaw. Not enough people care about it to get a critical mass of users. Virtually everyone outside a handful of tech geeks will keep using the centralized services, so to talk to people out there in the real world, you'll need to use the centralized services too. Or, restrict yourself to these decentralized networks and find they are mostly empty, maybe several thousands of users across the whole of the world.

    And good luck trying to explain to Joe/Jane Sixpack how to use them. You have to fight against the centralized data-mined services that came preinstalled on their devices, and that's a non-starter for most people.

    It fails not for technical reasons. It fails because of widespread tech illiteracy in the general population.

    1. Re:it's a great idea with one major flaw by dcollins117 · · Score: 4, Insightful

      Decentralized services are a great idea, but there is one big flaw. Not enough people care about it to get a critical mass of users.

      There's a group of Hollywood celebrities that have just been made aware of the need for decentralized and more private internet services. I think people will care, albeit only after a problem has occured.

    2. Re:it's a great idea with one major flaw by Anonymous Coward · · Score: 1

      Do you think a single one of those celebrities will move to such a system?

      I wager not one of the ones effected by it will.

    3. Re:it's a great idea with one major flaw by exomondo · · Score: 1

      There's a group of Hollywood celebrities that have just been made aware of the need for decentralized and more private internet services.

      In that context what is the solution? Certainly not to host the services yourself. The security was beaten by a flaw in the server software that allowed a brute force attack to take place, so how does decentralization help you there?

    4. Re:it's a great idea with one major flaw by Bing+Tsher+E · · Score: 5, Insightful

      They just have to stop storing personal content 'on the cloud'. Don't buy into the idea of no local storage. Say NO to devices that don't have an SD slot ( sorry, Apple and Google...)

      32g sd cards are really cheap now.

    5. Re:it's a great idea with one major flaw by dcollins117 · · Score: 1

      Do you think a single one of those celebrities will move to such a system?

      I really think they will if it's the easiest option. It's up to developers to make encrypted, decentralized storage the default and easy to use. Build it and they willl come (pun half-heartedly intended.)

    6. Re:it's a great idea with one major flaw by AHuxley · · Score: 1

      AC the news is full of 'hints' like "FBI, Telecoms Teamed to Breach Wiretap Laws" ( 01.21.10)
      http://www.wired.com/2010/01/f...
      FBI Seeking to Pay Telecoms to Store Records for Years and Provide Instant Access (07.18.07)
      http://www.wired.com/2007/07/f...
      FBI pressures Internet providers to install surveillance software (August 2, 2013)
      http://www.cnet.com/news/fbi-p...
      Also recall Communications Assistance for Law Enforcement Act http://en.wikipedia.org/wiki/C...
      ".... requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband internet, and VoIP traffic."
      Its the local laws where the handsets are to be sold that matters. If you want to sell in say the USA, your "designed" aspect will have to be US wiretapping law friendly.

      --
      Domestic spying is now "Benign Information Gathering"
    7. Re:it's a great idea with one major flaw by exomondo · · Score: 2

      Where "yourself" is one of a set of firms that specialize in very high security hosting for high-risk clients. Using an iphone locked them in to Apple's lowest-common denominator of secure hosting, and while that's great for the average low-value target, it isn't sufficient for someone with a lot to lose.

      That's rubbish, you are not "locked" in to Apple's hosting, stop spreading FUD. You can quite easily turn off iCloud and use whatever service you want or no cloud storage at all, it is already decentralized. You are just swapping one supposedly secure service for another.

    8. Re:it's a great idea with one major flaw by Antique+Geekmeister · · Score: 1

      > You can quite easily turn off iCloud and use whatever service you want

      I'm afraid I must say "good luck with that". The bar to replace services that are built into Iphones or Ipads by Apple, as a supported service and built directly into their operating systems, is quite high.

    9. Re:it's a great idea with one major flaw by exomondo · · Score: 2

      I'm afraid I must say "good luck with that".

      Not sure why, I don't need luck because it already works fine with services like DropBox and Skydrive or there's apps from western digital and synology. I could even use the APIs to write my own if I wanted to.

    10. Re:it's a great idea with one major flaw by exomondo · · Score: 1

      Name one system that does keychain backup/restore inside the standard apple interface.

      Why would I want to do that? Saving my passwords (encrypted or not) to a cloud service sounds like a fantastically stupid idea. I'll save photos and videos there but passwords? No thank you, I have no need for that.

    11. Re:it's a great idea with one major flaw by Tom · · Score: 2

      It fails not for technical reasons. It fails because of widespread tech illiteracy in the general population.

      We've largely solved the issue with things like magnet links and decentralized databases.

      The issue we still haven't solved is in our mind: We believe everyone needs to have "tech literacy", completely forgetting that every invention in history became successful only after someone made it easy to use for people without learning all the mechanical details about it. When only car mechanics could drive a car, the total number of cars in the world was less than that in your local shopping malls parking lot today. Is that change because cars became more easy to use, or because more people became car mechanics? Take a guess.

      --
      Assorted stuff I do sometimes: Lemuria.org
    12. Re:it's a great idea with one major flaw by Antique+Geekmeister · · Score: 1

      > I don't need luck because it already works fine with services like DropBox and Skydrive

      Neither of these are focused on end-to-end user security. The centralized password management for both systems, and presence of most deposited contents unencrypted, are profound price savings and software simplifications for those companies. But it puts both systems at risk of precisely the sort of overseas, strong-arm warrant or subpoena that Microsoft is facing right now from US courts for email stored in Ireland.

    13. Re:it's a great idea with one major flaw by exomondo · · Score: 1

      Neither of these are focused on end-to-end user security.

      So? The original question posed was about being "locked" into Apple's offering, which is not the case. Can you provide an alternative service that is "focused on end-to-end user security"?

    14. Re:it's a great idea with one major flaw by TheRaven64 · · Score: 2

      Step one is to have the big high-profile stories in the press about the problems. Step two is to have the big high-profile stories in the press about the alternatives. The important thing now is for anyone who is contacted by the press as an expert to ask about the iCloud hack to make it very clear that this isn't an Apple-specific problem, it's a problem inherent in the entire design of centralised services and to list alternatives.

      --
      I am TheRaven on Soylent News
    15. Re:it's a great idea with one major flaw by TheRaven64 · · Score: 1

      The BBC news article about the hack had a quote from one of the celebrities saying that the pictures had already been deleted before they were stolen. That is the problem with these services: they don't securely (or, at all) delete things. Google's deletion mechanism, for example, relies on simply not actively copying the files to newer disks so that when the old disks eventually die the files are gone. I wouldn't be surprised if Apple's works in a similar way. Even if you decide you don't trust Apple/Google/Facebook today, you've got a long wait before all of the files that you've uploaded to them are gone.

      --
      I am TheRaven on Soylent News
    16. Re:it's a great idea with one major flaw by Antique+Geekmeister · · Score: 1

      > Can you provide an alternative service that is "focused on end-to-end user security"?

      No. That's partly because the barrier to entry is so high, which I did mention. So services like a Skype replacement, or full blown custmer-privacy-centered services, are quite difficult to get started. And services like Dropbox admit, themselves, that they are not immune from subpoenas. (See https://www.dropbox.com/transp... for what little they're permitted to publish about search warrants or subpoenas.)

      I may have been unclear. "Good luck with that" getting a good quality, genuinely effective customer privacy ensuring technology and service off the ground.

    17. Re:it's a great idea with one major flaw by shdowhawk · · Score: 1

      I agree with your idea of not buying into "no local storage", but ...

      The device doesn't matter, it's the software. My 16gig iPhone has plenty of storage for my to do what I need/want without using cloud/off-device solutions. I don't need a device with sd cards. Software is the issue. The software I use IS going to send some information to a server SOMEWHERE for storage or re-routing - that is the problem. Having software that does proper peer-to-peer, fully encrypted with proper up-to-date encryption methods, with no centralized nodes, is what is needed for security

      ... But marketing people, of course, know best. We all know that customers want their data "backed up" or "temporarily held" in case of "temporary outages" ... so magical clouds can automatically re-send your information. Think of the chil... err... end users! No one wants to see that "message not delivered" message. It's a feature, not a bug! (*Insert big name company / government agency here*) is just trying to make your device experiences more simple, better, and easier to understand, just like grandma wants/needs it! ... and all joking aside, those features really are kinda nice when it's not abused - which of course means they will be abused.

    18. Re:it's a great idea with one major flaw by rbrandis · · Score: 1

      Only problem with that is the phones as always connected (unless off or in airplane mode), and ready to be hacked themselves.

    19. Re:it's a great idea with one major flaw by Anonymous Coward · · Score: 1

      Or, if you're going to have one of these devices (sorry, but being able to turn a Nexus 7 into a Kali Pwn Pad outweighs the lack of SD slot to me), then at least grab a wireless SD reader ($50-70), or, hell, use sshfs or some other method of storing the data off of the physical device.

      Not having a card reader is absolutely a bit obnoxious, but it doesn't actually lock you into cloud storage. That's just the hope of the marketing crowd.

    20. Re:it's a great idea with one major flaw by exomondo · · Score: 1

      The BBC news article about the hack had a quote from one of the celebrities saying that the pictures had already been deleted before they were stolen.

      Deleted from the phone, not from iCloud. The hacker(s) gained access to the users' iCloud account where the files are accessible, they were not deleted.

    21. Re:it's a great idea with one major flaw by exomondo · · Score: 1

      Well firstly I was debunking the idea that with Apple you're locked to iCloud, which is false. Then I was asking what the alternative is and your response is that there isn't one and that some fantasy one with everything you want is likely not viable.

  3. xmpp exists today. by nurb432 · · Score: 1

    Why reinvent the wheel, again?

    --
    ---- Booth was a patriot ----
    1. Re: xmpp exists today. by Jorgensen · · Score: 1

      Not entirely true. They are no more centralised than email servers. Each domain gets to nominate their own XMPP servers via DNS - which can be shared across cooperating domains.

    2. Re:xmpp exists today. by unrtst · · Score: 1

      Does this count? https://play.google.com/store/...
      Or maybe this (Jitsi)? https://download.jitsi.org/jit...
      Or this (Talkonaut)? http://talkonaut.android.infor...

  4. An oxymoron ... by CaptainDork · · Score: 2

    It fails not for technical reasons. It fails because of widespread tech illiteracy in the general population.

    You do see what I mean, right?

    --
    It little behooves the best of us to comment on the rest of us.
  5. Re:Oh god why. by viperidaenz · · Score: 4, Insightful

    OH SHIT
    My IP gets exposed? Like how I've just sent it to Slashdot and the countless routers and proxies between my PC and the Slashdot servers?

  6. Re:Oh Great Just What We (Don't) Need by viperidaenz · · Score: 3, Funny

    You mean peer to peer, instead of relaying via a server?

  7. Not what Skype is for me. by Bing+Tsher+E · · Score: 1

    I don't use skype for a 'chat box.' Really, I hardly 'chat' at all anymore. Did enough of that in the late 80's to early 90's. I use skype as my long distance phone carrier. As long as I'm at home or have a wifi connection, I can call any phone in the continental US at no extra cost. This costs me about $4 a month. It's a nomadic sort of thing, I used to do it with an iPod touch, but now use an unsubscribed Android phone (the iPod touch 'for the rest of us', which even has an SD slot!). When home I make long distance calls on my desktop. We have DSL and a local landline, no long distance carrier.

    So this would never replace skype for me.

    1. Re:Not what Skype is for me. by mellon · · Score: 1

      I use SIP for my PoTS gateway. It's pretty seamless. Something like Tox, if it works, would be an incremental improvement.

  8. Tox? What happened to BitTorrent Chat? by DiSKiLLeR · · Score: 1

    Tox? What happened to BitTorrent Chat? I though the bittorrent folks themselves were making a secure decentralised chat client, it even made news on slashdot once.

    --
    You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
    1. Re:Tox? What happened to BitTorrent Chat? by Anonymous Coward · · Score: 2, Informative

      It's been renamed to Bleep and is in closed pre-alpha testing:
      http://blog.bittorrent.com

  9. Re:Oh Great Just What We (Don't) Need by greenwow · · Score: 1

    It's so bad, Microsoft doesn't even make it easy to kill it off. Even Scott Adams made a Dilbert cartoon about how bad it is:

    http://dilbert.com/strips/comi...

  10. Microsoft Gave the NSA Backdoor access to Skype .. by Anonymous Coward · · Score: 4, Informative

    'A lengthy new Guardian report claims Microsoft worked directly with the NSA by giving complete back door access to Outlook (and Hotmail), Skype and SkyDrive. The report basically says each service was easily circumvented in order to make the NSA’s job of sleuthing data incredibly easy, as if your private info was selling at a weekend garage sale. One NSA document even described the collaboration with Microsoft as a “team sport.”' ref

  11. Re:Oh Great Just What We (Don't) Need by rstanley · · Score: 1

    "So now we're proposing something even worse."

    Why do you think it will be worse? Give them a chance and let's see the released version.

  12. Diaspora by Anonymous Coward · · Score: 1

    Who wants to meet up on Diaspora and chat about Tox?

  13. Key exchange by manu0601 · · Score: 2

    And how do you exchange key? Do they plan a web of trust à la GPG?

    1. Re:Key exchange by Anonymous Coward · · Score: 3, Interesting

      I discussed it with one of the admins on their IRC.
      "it's up to the users to give their public key to their friends in a way that it won't be intercepted in transit and replaced"

    2. Re:Key exchange by MtHuurne · · Score: 2

      It could be handled like SSH: when you get an invite to connect to someone, their key fingerprint is displayed. If you are paranoid, you can verify the fingerprint via alternative channels. Otherwise, you blindly accept it. In either case, you are protected against man in the middle attacks after that first connection is made. Also, if you did accept a fake key, any time you try to talk to that person over a network where the man in the middle is not present will trigger a key mismatch, revealing that an attack took place on the initial connect.

    3. Re:Key exchange by BitterOak · · Score: 4, Interesting

      And how do you exchange key? Do they plan a web of trust à la GPG?

      A better approach would be to generate a random session key and each user's client would display some sort of hash (it doesn't need to be really long: 6 or 8 digits would suffice) of that key. Assuming the two parties know each other and recognize each other's voice and/or face, one of them can read the hash to the other. If there's a MITM attack, they won't match. As I said, the hash doesn't need to be long, since one mismatch would indicate trouble.

      --
      If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    4. Re:Key exchange by MtHuurne · · Score: 1

      That's a good idea. You could even present the hash in a more accessible way, like picking two words from a dictionary or showing three icons from a fixed set.

    5. Re:Key exchange by manu0601 · · Score: 1

      Hi, my key hash is "anonymous coward".

    6. Re:Key exchange by nadaou · · Score: 3, Informative

      Phil Zimmermann has already done all this. It's called ZRTP.

      https://en.wikipedia.org/wiki/...
      https://www.youtube.com/watch?...

      --
      ~.~
      I'm a peripheral visionary.
    7. Re:Key exchange by Bob9113 · · Score: 1

      And how do you exchange key? Do they plan a web of trust à la GPG?

      That was one of my first questions. The answer is; however you want. They provide an "easy" (hence vulnerable) method for doing so, but you can check the public key hash against your securely transferred value before approving a key if you want.

      Or, slightly differently; this is not a key exchange system, just a comm system you can use once you have authenticated a key to your level of security requirement.

      --
      Stop-Prism.org: Opt Out of Surveillance
    8. Re:Key exchange by magamiako1 · · Score: 1

      You assume that people actually pay attention to these key mismatches and don't automatically click "yes" to them.

      Would be worth a social experiment just to prove you idiots wrong ;)

    9. Re:Key exchange by siliconeyes · · Score: 1

      That is actually exactly what my app, Zip Phone (link) does.

      All voice traffic is encrypted using a randomly generated 256-bit AES key, which is exchanged using 2048-bit RSA. Both phones display a hash of the public key, so the callers can exchange it vocally to confirm that there is no MITM.

      The REALLY neat thing about my app, if you ask me, is the fact that it automatically makes VoIP calls to any of your contacts that also have the app installed, without you even needing to open up the app.

  14. Kazaa by gringer · · Score: 2

    Hmm, interesting. It might be worth pointing out that Skype was originally based on a decentralized service pushed through the Kazaa network:

    http://arxiv.org/abs/cs/041201...

    Like its file sharing predecessor KaZaa, Skype is an overlay peer-to-peer network. There are two types of nodes in this overlay network, ordinary hosts and super nodes (SN). An ordinary host is a Skype application that can be used to place voice calls and send text messages. A super node is an ordinary host’s end-point on the Skype network

    Of course, the problem with the Skype system (as it was when that paper was written) is that the decentralised nature of the network means that your video call could be routed through any number of Skype network nodes (i.e. computers) before it arrives at its destination. I think now Microsoft has replaced most of the supernodes with microsoft servers, so replace "any number of Skype network nodes" with "any number of Microsoft servers".

    Presumably Tox is doing something similar to going back to the roots of Skype, with maybe a bit more encryption thrown in.

    --
    Ask me about repetitive DNA
    1. Re:Kazaa by WoodburyMan · · Score: 5, Insightful

      I can attest to Skype doing this. A friend away moved away for graduate school and we would communicate using Skype, so I started just leaving the desktop application open. My computer is located in my bedroom, with a switch next to it. I woke up like 3am, see the lights FLASHING going all sorts of nuts on my switch, which was weird as I had nothing on my pc open at the time. I check net stat... i see a inbound and outbound connection, one to some SBC DSL user in Atlanta, another to a Comcast user somewhere else, forgot where, but some other state. I kill Skype. BAM, connections close, traffic resumes normal operation. Skype was using my computer as relay service, since I have active UNPN, and the other two client presumably had some sort of firewall blocking direct communication. To this day i tell *EVERYONE* who uses the Desktop app to close it as soon as they're done to prevent this as most home connections now have meters. (Charter's is 250gb/mo for 30mbit, which I hit 150gb+ some months when I was toying around with AOSP and downloading the entire repo a few times after screwing up a VM or something).

    2. Re:Kazaa by AndrewBuck · · Score: 1

      I have noiced the same thing on my skype in the past. I am fine with contributing some p2p bandwidth but wish the program was a bit more upfront about telling you about it.

      On a separate but related issue, I used to use netstat for the same kind of thing you did, but now I run a program called nethogs, which is a command line tool a lot like top, but shows bandwidth usage by process in real time in more sane units like kb/s instead of the ugly packet buffer counts netstat uses which are kind of hard to read. It also sorts by bandwidth similar to how top shows the high cpu users on top by default so it is easy to see what the "random process eating your network" is.

      -AndrewBuck

    3. Re:Kazaa by Anonymous Coward · · Score: 1

      Skype CAN and DOES read your messages, and quite probably your voice and video too.
      Send a text chat message with a unique one time URL to your own box in it over Skype, such as:
      http://yourbox.com/laks2312kjceie
      You will see a bot fetch you. Skype scraped the link out of your so called privately encrypted chat.
      Google it if you don't believe me.
      SKYPE CANNOT BE TRUSTED, EVER!!
      NO CLOSED SOURCE CAN BE TRUSTED!!!!!
      Quit freaking using closed source, there's no reason to anymore.

  15. Privacy Last by westlake · · Score: 2, Informative

    Readers of this story will have noticed the links to four of the major social media sites, including Facebook.

    Since the earliest days of USENET and IRC Chat, the geek has a flawless record of making one-on-one communication over the Internet as painful a process as possible for the non-technical user.

    It took the commercial services like Sype to break the spell.

    1. Re:Privacy Last by Anonymous Coward · · Score: 1

      Even just downloading and running it is a PITA. Click the flashy download button on the front page and you get to a crappy wiki page listing several "proof of concept clients" - pick one! Of course, if you look further in the Wiki you'll find that there's about a dozen other clients as well, and none with the complete feature set. So now we have gone from downloading and installing to reading, studying, pondering and failing... great way to make people use your software!

      Oh, about the failing part: why isn't the Windows package with the updater a proper installer? Idiosyncrasies like this do turn away users.

    2. Re:Privacy Last by Bob9113 · · Score: 2

      Since the earliest days of USENET and IRC Chat, the geek has a flawless record of making one-on-one communication over the Internet as painful a process as possible for the non-technical user.

      Don't be facetious. One-on-one communication could be much more painful. In the specific case of secure (ie: end-to-end encrypted) communication, Tox is approaching the theoretical limit of simplicity. Key exchange has a mathematically bound minimum complexity in order to be secure. The reason Skype is not secure is precisely because it is easier to use than Tox.

      Or, slightly differently: Tox is an example of geeks making one-to-one comm as easy as it possibly can be, for the given requirements.

      --
      Stop-Prism.org: Opt Out of Surveillance
    3. Re:Privacy Last by rastos1 · · Score: 2

      Where did you get the idea that USENET or IRC is supposed to facilitate one-to-one communication?

  16. Re:Oh god why. by TrollstonButterbeans · · Score: 1

    It is a legitimate concern. Mocking it doesn't allay the concern.

    --
    Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
  17. it's a great idea with one major flaw by AHuxley · · Score: 2

    Not much the average consumer can do about wire tap friendly products built into tame telco approved hardware and software as offered globally.
    You can code a software layer into your consumer device that offers really good quality encryption.
    The problem is not so much a back door, trap door, just that every letter and number entered on the device is open to hardware logging by default by a gov activated telco layer..
    A person is walking around with a gps becon, live mic, camera and plain text capturing device they 'trust' due to a thin top layer of very good code?
    A one time pad system, air gapped to get the message out? A user no longer has real time joy but is then only offering location, who made the message, where it went, when and all the details about the device that sent the message.

    --
    Domestic spying is now "Benign Information Gathering"
  18. Re:info by nadaou · · Score: 1

    It's really not that hard at all.

    http://en.wikipedia.org/wiki/Off-the-Record_Messaging#Authentication

    and it comes with a very good implementation and pedigree,

    https://en.wikipedia.org/wiki/ZRTP

    Here's a video demo of ZRTP in use:

    https://www.youtube.com/watch?v=udBBDHT-_UA

    So as far as the user is concerned, there's not reason it can't be dead simple.

    --
    ~.~
    I'm a peripheral visionary.
  19. Re:Oh god why. by viperidaenz · · Score: 2

    The only way to stop your IP from being broadcast around the internet is to not use the internet.

    The only way to receive a packet of data is for someone else to know your IP address. Either the entity initiating the send, or some kind of proxy along the way.

    It's how the internet works.

    Please explain how it's a legitimate concern and how to alleviate it.

  20. Mandatory linux 4.3 upgrade by smchris · · Score: 1

    It always seemed we could at least sandbox Skype as a limited unique user, but 4.3 requires Pulse and pulse is increasingly the de facto sound system over alsa. Correct me if I'm wrong but doesn't pulse running at the user level only allow ONE user and system-wide utilization is vehemently discouraged by the developers for SECURITY reasons? If so, it seems like Microsoft and the NSA have worked out a way to p0wn any linux box where a person has installed a working 4.3 Skype.

    I guess you could still use it for chat as a unique user.

    1. Re:Mandatory linux 4.3 upgrade by hweimer · · Score: 1

      Correct me if I'm wrong but doesn't pulse running at the user level only allow ONE user and system-wide utilization is vehemently discouraged by the developers for SECURITY reasons?

      No, it's the other way round: Running PulseAudio as a system daemon (as opposed to the default way of per-user sessions) has security implications.

      --
      OS Reviews: Free and Open Source Software
  21. Re:Oh god why. by TrollstonButterbeans · · Score: 1, Insightful

    A server in the middle that acts as a central point.

    I get what you are saying, but exposing IP addresses to 3rd parties isn't typically desirable.

    Case in point, I don't have your IP address. And you don't have mine.

    Sure email works like that (although possibly less so in current era with gmail and such, then again maybe not), but many services don't. Sure, the service provider --- the middleman --- has access to that, but the other users don't.

    A solution to a problem isn't necessarily a knee-jerk opposite solution (centralized vs. decentralized) but often some variation of an existing successful model that is slightly flawed, correcting *ONLY* the part that is flawed, not the parts of the service infrastructure that work well.

    --
    Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
  22. Re:Oh god why. by Infoport · · Score: 1

    remailers and nyms can do it for email. Unfortunately you get a lot of latency, sometimes added on purpose for extra security (to prevent tracking by timing) You encrypt reply blocks that have nested instructions to send the also-encrypted message along. Each server can only decrypt their own portion. With two servers between you, neither end point knows the other end point. Servers in different countries may be used in series. You can assemble such a reply block and attach it to anonymously sent emails or posts.

    Some servers allow you to set up an address, and associate it with a reply block. You then have created a "nym", on a nymserver, and can give out that email address to places rather than a reply block.

    An additional part can give the encrypting key to the next server, so the server which decrypts a section encrypts the messages it sends out with the next server's key routinely.

    Unfortunately, to have deniability regarding a sent message, you can't send it and have it immediately appear on the other end.

  23. Re:Oh god why. by Anonymous Coward · · Score: 3, Insightful

    As with nearly everything in life, privacy and security are not all-or-nothing, black-or-white issues - instead it is a set of trade-offs, what do you have to give up in order to get a desired result. It is at least a 2-dimensional spectrum where limiting exposure to the minimum necessary nodes versus any node that takes an interest is preferrable.

    Look at it this way - most people don't have a problem giving their credit card number to a website when they make a purchase but would not find it acceptable to share their credit card number with every website they log in to.

    We know by its existence that onion-routing is one way to minimize IP address exposure. It does not eliminate it, but it drastically reduces the window of exposure. That increased privacy comes at a cost, the question, as it is with all costs, is if the cost is worth it.

  24. Fucking 'Dependencies" by Anonymous Coward · · Score: 1

    Just tried to install it after adding the PPA and it's missing mysterious dependencies, thus cannot be installed. Rubbish. Promotion should offer an incentive, not a host of obstructions! Back to Jitsi, cunts.

  25. Re:Oh god why. by ThatsMyNick · · Score: 1

    On slashdot, your IP doesnt get exposed to everyone, silly. It only gets exposed to slashdot (and routers in between if you are not using SSL). Finding your IP (and hence your location), by just your name viperidaenz, is a little bit worrying and a valid concern. If you dont find it worrying, you should start signing each of your slashdot posts with your current IP.

  26. Re:Oh god why. by viperidaenz · · Score: 1

    I don't have your IP, you don't have mine. The 3rd party in the middle does. There is a single point where all interaction with Slashdot can be intercepted.

    I get what you are saying, but exposing IP addresses to 3rd parties isn't typically desirable.

    What? That's exactly what you're advocating.

    The flaw in the system is the central server.

    Email works fine how it is, because of the requirement to store messages when recipients are offline. Yet it still doesn't suffer the problem of all messages going through a single entity. You're free to connect directly to the recipients mail server. You're not forced to go through a particular company or country.

    Real time video links don't have that requirement. There is no need for a central server. All you need is some kind of directory. A DHT fills that requirement.

  27. Re:Oh god why. by viperidaenz · · Score: 2

    aka http://en.wikipedia.org/wiki/O...

  28. Re:Oh god why. by viperidaenz · · Score: 1

    Finding my IP just by my name viperidaenz requires nothing more than an NSL.

    Regards,
    viperidaenz
    IP: 10.0.102.54

    ps: there may be one or more network address translations and proxy servers in the way.

  29. Re:Oh god why. by stephenmac7 · · Score: 2

    He said: or a man in the middle.

    --
    "No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
  30. Toxic? by profi · · Score: 1, Interesting

    Tox is licensed under GPL v3 which is incompatible with iOS. Brilliant idea to exclude one of the most popular mobile platforms, this will surely replace Skype.

  31. Re:Oh Great Just What We (Don't) Need by grcumb · · Score: 2

    You have to be seriously insane to even consider trying to do real time video over something akin to Bittorrent.

    A few months ago, I would have agreed with you. But I've been using the PopcornTime app since then, and it reliably delivers HD streams with few if any stutters. There's no reason to believe a single (video+)voice stream wouldn't be possible using a similar approach....

    --
    Crumb's Corollary: Never bring a knife to a bun fight.
  32. Re:Oh god why. by viperidaenz · · Score: 1

    There you go again.

    I would say that doesn't anonymity contribute to a healthy internet

    That's exactly what you lose when you route all your communications through a single provider. You're left with pseudonymity.

  33. Trust agility by savuporo · · Score: 1

    Easy way to make this much more useable is to keep the current user rendezvous infrastructure, but use a layer on top for key exchange that goes through user-elected central servers.
    The entire Moxie Marlinspike's trust agility thesis. Let the users choose the central entity that they trust for making the rendezvous via a plugin or a high level protocol layer - something as simple as a REST api over https. Every trust provider just has to provide an API endpoint for signing and exchanging keys.

    App to user : Here is Bob's key - signed by Slashdot's server. User: screw you, slashdot got hacked twice and their web looks funnay. I trust no one that comes that way. Does Bob exist on BookFace instead ? And so on. You could also have a distributed database of trust provider endpoints along with their current , recent and overall trustworthiness rankings.

    --
    http://validator.w3.org/check?uri=http%3A%2F%2Fwww.slashdot.org Errors found while checking this document as HTML5!
  34. The people by WeeBit · · Score: 1

    I discuss similar stuff with people. You have a few that don't care but you also have many that are getting wrong advice. Many were told that legally they can't highly secure their cell phones, computers, tablets, etc. Plus a few even said that to be as secure as possible will have them put under suspicion of illegal activities and they don't want that kind of attention.

    I believe security is good if it accomplishes what it is intended for. But many that are not secure because for a decade they were told they were fine; "don't worry about it, you have all that you need". Now everything is turned upside down. Security is only good if it is used. Unless someone has a magic plan to get the public to use the new secure software that seems to be invented regularly for the past six to eight months, many of it may go obsolete before the first anniversary of the software arrives.

  35. Re:Oh god why. by NotSanguine · · Score: 1

    It is a legitimate concern. Mocking it doesn't allay the concern.

    A legitimate concern? Man! I want some of what you've been smoking, buddy!

    I'd be really interested to know how one can send and receive data across the Internet without sharing your IP address with each intervening router, as well as the endpoint. I've been doing IP networking (since you're obviously rather thick, I'll explain that IP is the Internet Protocol which is the basis for all communications across the Internet. You can find out more with the TCP/IP Tutorial and the Internet Protocol Specification) for a long time, possibly since before you were born (your comments indicate that it may have been yesterday) and your IP address is critical to routing your data to and from the network node you're using at any given time.

    So please, do enlighten all of us who clearly don't have your intimate knowledge of IP networking as to how we can send and receive data without sharing our IP address. I'd be much obliged.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
  36. Re:Oh god why. by NotSanguine · · Score: 1

    It is a legitimate concern. Mocking it doesn't allay the concern.

    Oh, and I wouldn't dream of mocking your "point." I'll just mock you. You're certainly asking for it.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
  37. Re: Oh god why. by sandertje · · Score: 1

    Pipe it through a VPN

  38. The public key... by Aethedor · · Score: 1

    ... consists of 64 hex characters. This gives a 256 bit public key. Not very strong or am I missing something?

    --
    It doesn't have to be like this. All we need to do is make sure we keep talking.
    1. Re:The public key... by Aethedor · · Score: 1

      Oh, wait. Elliptic curve cryptography, never mind my previous post.

      --
      It doesn't have to be like this. All we need to do is make sure we keep talking.
  39. Re:Oh god why. by viperidaenz · · Score: 2

    That's where encryption comes in to play when routing data anonymously.

  40. Re:Oh god why. by Pikoro · · Score: 1

    Time to go back to IPX/SPX and NetBIOS

    --
    "Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
  41. Re:Oh god why. by ajb673 · · Score: 1

    (and routers in between if you are not using SSL)

    No I'm fairly sure SSL still exposes your IP to routers. It's only the content that's encrypted not the source.

  42. Bring back the well connected internet by dbIII · · Score: 1

    Instead of some man in the middle proxy bullshit such as Skype we can take advantage of getting away from NAT and have point to point communications over IPv6 just like ringing a phone number.

  43. Re:Oh god why. by DarkTempes · · Score: 1

    Skype already leaks your IP anyway (both to active callers and to anyone that requests it as long as they know your username.)
    It's common knowledge in live streaming that you should hide your skype username when streaming to prevent DoS attacks.

    http://krebsonsecurity.com/201...

  44. Re:Oh god why. by StripedCow · · Score: 1

    We have TOR for that.
    Don't make developers implement stuff that should be handled in different layers of the communication stack. The code will only get more hairy and less secure.

    --
    If Pandora's box is destined to be opened, *I* want to be the one to open it.
  45. Re:Oh Great Just What We (Don't) Need by LordLimecat · · Score: 1

    It is in fact the exact approach used by Skype in many circumstances. Peer-to-peer voip is neither novel nor difficult.

  46. Re:Oh god why. by AmiMoJo · · Score: 1

    The only way to stop your IP from being broadcast around the internet is to not use the internet.

    Or just use Tor or a VPN. The point is to hide "your" IP address, i.e. the one that can link information back to your internet connection.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  47. Possibly a performance related change by PPalmgren · · Score: 1

    I'm curious whether Skype changed to a more centralized service primarily because of the mobile world. Skype used to be a huge connection and battery hog on phones primarily because of the decentralized nature. Skype used to send messages through that were 'pending' to a contact even when your phone was in standby, because it was constantly trying to push the message to the user.

    After microsoft acquired Skype, one of the first changes was this was removed, but it made it difficult to send messages sometimes because you had to pop your phone out of standby and switch to the app for it to send messages to people who were offline at the time you sent it. It made for some strange broken conversations. Now it just goes to pending and seems to go through right away, and the drag on phone performance is minimal.

    Of course, microsoft has also made some really shitty and annoying changes. I can live with and understand the whole 3-way video chat becoming a premium feature to monetize the service if they're gonna use central servers, but I can't understand the awful UI choices doing their best to remove any possibility of signing out of skype on mobile devices.

  48. Re:Oh god why. by Saint+Gerbil · · Score: 1

    Go ahead I'm not afraid of exposing myself.

  49. Re:Oh god why. by Wootery · · Score: 1

    Either the entity initiating the send, or some kind of proxy along the way.

    It's how the internet works.

    Please explain how it's a legitimate concern and how to alleviate it.

    Just because it's how the Internet works, doesn't mean it might not be a problem. There's a tin-foil hat brigade who use VPNs, after all.

    Crypto analogy: the Internet works in plain-text. That doesn't mean plain-text is always appropriate.

  50. Re:Oh Great Just What We (Don't) Need by PRMan · · Score: 1

    While funny, Right-click the tray icon and select "Quit Skype" and then "OK" when it tells you that nobody can call or text you on it.

    --
    Peter predicted that you would "deliberately forget" creation 2000 years ago...
  51. Re:Oh god why. by ThatsMyNick · · Score: 1

    Nope, it actually just requires your skype (or Tox) name. If you dont like your IP to be exposed, I am sure you will understand the concerns about tox/skype exposing IPs.

  52. Re:Oh god why. by ThatsMyNick · · Score: 1

    With SSL, they only have source and destination IP, not your username. So association between username and IP is not possible.

  53. Re:Still USA-based, so open to govt^H^H^H^H..... by stderr_dk · · Score: 1

    I did a who-is lookup because what the ^shift-numbers^ does .IM stand for?

    Isle of Man

    --
    alias sudo="echo make it yourself #" ; # https://pipedot.org/~stderr & http://soylentnews.org/~stderr
  54. Only part of Skype functionality by stub667 · · Score: 1

    There are many services that tackle parts of Skype's functionality, but I have yet to see one that tackles them all. Not only does Skype to chat and client-to-client video conferencing, but it also gives you access to a global POTS gateway both outgoing and inbound, and is available to customers outside of the USA. Viber, Line, WeChat, Google and tox don't have the functionality to take away Skype's business. So we remain stuck with Skype, despite their ever worsening service and dubious allegence.