Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tox, a Skype Replacement Built On 'Privacy First'

Posted by Soulskill on from the pet-rock-also-built-on-privacy-first dept.

An anonymous reader writes: Rumors of back door access to Skype have plagued the communication software for the better part of a decade. Even if it's not true, Skype is owned by Microsoft, which is beholden to data requests from law enforcement. Because of these issues, a group of developers started work on Tox, which aims to rebuild the functionality of Skype with an emphasis on privacy. "The main thing the Tox team is trying to do, besides provide encryption, is create a tool that requires no central servers whatsoever—not even ones that you would host yourself. It relies on the same technology that BitTorrent uses to provide direct connections between users, so there's no central hub to snoop on or take down."

33 of 174 comments (clear)

  1. Back door by WillKemp · · Score: 2

    Even if it's not true [......]

    Considering all the revelations that have emerged about surveillance in those ten years, the possibility that it's not true seems barely worth considering.

    1. Re:Back door by AHuxley · · Score: 4, Interesting

      AC the backdoor aspect is both national and international
      "FBI Wants Backdoors in Facebook, Skype and Instant Messaging"
      http://www.wired.com/2012/05/f...
      ".... drafted by the FBI, that would require social-networking sites and VoIP, instant messaging and e-mail providers to alter their code to make their products wiretap-friendly."
      Then the world was given more details "Encrypted or not, Skype communications prove Ãoevitalà to NSA surveillance" May 14 2014
      http://arstechnica.com/securit...
      As for the "nobody on the inside has ever leaked out." aspect try http://cryptome.org/2013-info/...
      The "inside" can now be understood by aspects like "Drug Agents Use Vast Phone Trove, Eclipsing N.S.A.Ã(TM)s"
      http://www.nytimes.com/2013/09...
      ..."employees sit alongside Drug Enforcement Administration agents and local detectives and supply them with the phone data from as far back as 1987."
      How past "parallel construction" and telco support will respond to any new "peer-to-peer and voice calling" will be interesting.
      How did the US and UK get to past bespoke crypto telco hardware in the 1950's and beyond? Plain text always seemed to emerge just in time.

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re: Back door by Anonymous Coward · · Score: 2, Interesting

      If you send traffic to a central server, and if the traffic is unencrypted OR is encrypted by a key you don't control then monitoring your traffic without you being to prove it is absolutely possible.

      You *always* send data to servers you dont control when you transmit data over the public net, everybody already knows that and anybody that assumed any sort of privacy when transmitting data over a public network is a deluded fool, clearly you are in that category.

      I suppose to you that means it doesn't exist.

      No I am talking about backdoors in client side software (in things like windows and osx, the kind that has been perpetuated for years without any actual proof) because you do not *need* backdoors in server software when you have a dragnet that can capture masses of public traffic. It may make it easier but it is by no means necessary.

      I've been watching the antics of you corporate apologists and law enforcement worshippers for some time now. You'd almost be funny if your attitudes weren't so poisonous to a free society.

      No I am just not using fear of mass surveillance to push an agenda of free software. The problem with people like you is you are trying to lull people into a false sense of security by advocating privacy and openness while ignoring that software like this is not the answer (didnt work out too well for Tor now did it?). If what you are genuinely after is a free society then you already know that free software and data encryption are a stupid place to start because you're always the next zero day vulnerability or a compromised public server away from malicious parties intercepting your data. I am not entirely sure if your position is through ignorance or malice but either way trying to convince people that software like this will lead to a free society is utter stupidity of the highest order or deviously malicious at the other end.

      Free software and private communications are a side-effect of a free society, they are in no way capable of creating a free society because they can be compromized and the networks on which they operate can be compromized.

    3. Re:Back door by wiredlogic · · Score: 2

      Of course it's backdoored. The only reason why eBay bought Skype is to cross-correlate with PayPal accounts in exchange for taking the heat off threats of banking regulation.

      --
      I am becoming gerund, destroyer of verbs.
  2. it's a great idea with one major flaw by Anonymous Coward · · Score: 5, Insightful

    Decentralized services are a great idea, but there is one big flaw. Not enough people care about it to get a critical mass of users. Virtually everyone outside a handful of tech geeks will keep using the centralized services, so to talk to people out there in the real world, you'll need to use the centralized services too. Or, restrict yourself to these decentralized networks and find they are mostly empty, maybe several thousands of users across the whole of the world.

    And good luck trying to explain to Joe/Jane Sixpack how to use them. You have to fight against the centralized data-mined services that came preinstalled on their devices, and that's a non-starter for most people.

    It fails not for technical reasons. It fails because of widespread tech illiteracy in the general population.

    1. Re:it's a great idea with one major flaw by dcollins117 · · Score: 4, Insightful

      Decentralized services are a great idea, but there is one big flaw. Not enough people care about it to get a critical mass of users.

      There's a group of Hollywood celebrities that have just been made aware of the need for decentralized and more private internet services. I think people will care, albeit only after a problem has occured.

    2. Re:it's a great idea with one major flaw by Bing+Tsher+E · · Score: 5, Insightful

      They just have to stop storing personal content 'on the cloud'. Don't buy into the idea of no local storage. Say NO to devices that don't have an SD slot ( sorry, Apple and Google...)

      32g sd cards are really cheap now.

    3. Re:it's a great idea with one major flaw by exomondo · · Score: 2

      Where "yourself" is one of a set of firms that specialize in very high security hosting for high-risk clients. Using an iphone locked them in to Apple's lowest-common denominator of secure hosting, and while that's great for the average low-value target, it isn't sufficient for someone with a lot to lose.

      That's rubbish, you are not "locked" in to Apple's hosting, stop spreading FUD. You can quite easily turn off iCloud and use whatever service you want or no cloud storage at all, it is already decentralized. You are just swapping one supposedly secure service for another.

    4. Re:it's a great idea with one major flaw by exomondo · · Score: 2

      I'm afraid I must say "good luck with that".

      Not sure why, I don't need luck because it already works fine with services like DropBox and Skydrive or there's apps from western digital and synology. I could even use the APIs to write my own if I wanted to.

    5. Re:it's a great idea with one major flaw by Tom · · Score: 2

      It fails not for technical reasons. It fails because of widespread tech illiteracy in the general population.

      We've largely solved the issue with things like magnet links and decentralized databases.

      The issue we still haven't solved is in our mind: We believe everyone needs to have "tech literacy", completely forgetting that every invention in history became successful only after someone made it easy to use for people without learning all the mechanical details about it. When only car mechanics could drive a car, the total number of cars in the world was less than that in your local shopping malls parking lot today. Is that change because cars became more easy to use, or because more people became car mechanics? Take a guess.

      --
      Assorted stuff I do sometimes: Lemuria.org
    6. Re:it's a great idea with one major flaw by TheRaven64 · · Score: 2

      Step one is to have the big high-profile stories in the press about the problems. Step two is to have the big high-profile stories in the press about the alternatives. The important thing now is for anyone who is contacted by the press as an expert to ask about the iCloud hack to make it very clear that this isn't an Apple-specific problem, it's a problem inherent in the entire design of centralised services and to list alternatives.

      --
      I am TheRaven on Soylent News
  3. An oxymoron ... by CaptainDork · · Score: 2

    It fails not for technical reasons. It fails because of widespread tech illiteracy in the general population.

    You do see what I mean, right?

    --
    It little behooves the best of us to comment on the rest of us.
  4. Re:Oh god why. by viperidaenz · · Score: 4, Insightful

    OH SHIT
    My IP gets exposed? Like how I've just sent it to Slashdot and the countless routers and proxies between my PC and the Slashdot servers?

  5. Re:Oh Great Just What We (Don't) Need by viperidaenz · · Score: 3, Funny

    You mean peer to peer, instead of relaying via a server?

  6. Microsoft Gave the NSA Backdoor access to Skype .. by Anonymous Coward · · Score: 4, Informative

    'A lengthy new Guardian report claims Microsoft worked directly with the NSA by giving complete back door access to Outlook (and Hotmail), Skype and SkyDrive. The report basically says each service was easily circumvented in order to make the NSA’s job of sleuthing data incredibly easy, as if your private info was selling at a weekend garage sale. One NSA document even described the collaboration with Microsoft as a “team sport.”' ref

  7. Key exchange by manu0601 · · Score: 2

    And how do you exchange key? Do they plan a web of trust à la GPG?

    1. Re:Key exchange by Anonymous Coward · · Score: 3, Interesting

      I discussed it with one of the admins on their IRC.
      "it's up to the users to give their public key to their friends in a way that it won't be intercepted in transit and replaced"

    2. Re:Key exchange by MtHuurne · · Score: 2

      It could be handled like SSH: when you get an invite to connect to someone, their key fingerprint is displayed. If you are paranoid, you can verify the fingerprint via alternative channels. Otherwise, you blindly accept it. In either case, you are protected against man in the middle attacks after that first connection is made. Also, if you did accept a fake key, any time you try to talk to that person over a network where the man in the middle is not present will trigger a key mismatch, revealing that an attack took place on the initial connect.

    3. Re:Key exchange by BitterOak · · Score: 4, Interesting

      And how do you exchange key? Do they plan a web of trust à la GPG?

      A better approach would be to generate a random session key and each user's client would display some sort of hash (it doesn't need to be really long: 6 or 8 digits would suffice) of that key. Assuming the two parties know each other and recognize each other's voice and/or face, one of them can read the hash to the other. If there's a MITM attack, they won't match. As I said, the hash doesn't need to be long, since one mismatch would indicate trouble.

      --
      If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    4. Re:Key exchange by nadaou · · Score: 3, Informative

      Phil Zimmermann has already done all this. It's called ZRTP.

      https://en.wikipedia.org/wiki/...
      https://www.youtube.com/watch?...

      --
      ~.~
      I'm a peripheral visionary.
  8. Kazaa by gringer · · Score: 2

    Hmm, interesting. It might be worth pointing out that Skype was originally based on a decentralized service pushed through the Kazaa network:

    http://arxiv.org/abs/cs/041201...

    Like its file sharing predecessor KaZaa, Skype is an overlay peer-to-peer network. There are two types of nodes in this overlay network, ordinary hosts and super nodes (SN). An ordinary host is a Skype application that can be used to place voice calls and send text messages. A super node is an ordinary host’s end-point on the Skype network

    Of course, the problem with the Skype system (as it was when that paper was written) is that the decentralised nature of the network means that your video call could be routed through any number of Skype network nodes (i.e. computers) before it arrives at its destination. I think now Microsoft has replaced most of the supernodes with microsoft servers, so replace "any number of Skype network nodes" with "any number of Microsoft servers".

    Presumably Tox is doing something similar to going back to the roots of Skype, with maybe a bit more encryption thrown in.

    --
    Ask me about repetitive DNA
    1. Re:Kazaa by WoodburyMan · · Score: 5, Insightful

      I can attest to Skype doing this. A friend away moved away for graduate school and we would communicate using Skype, so I started just leaving the desktop application open. My computer is located in my bedroom, with a switch next to it. I woke up like 3am, see the lights FLASHING going all sorts of nuts on my switch, which was weird as I had nothing on my pc open at the time. I check net stat... i see a inbound and outbound connection, one to some SBC DSL user in Atlanta, another to a Comcast user somewhere else, forgot where, but some other state. I kill Skype. BAM, connections close, traffic resumes normal operation. Skype was using my computer as relay service, since I have active UNPN, and the other two client presumably had some sort of firewall blocking direct communication. To this day i tell *EVERYONE* who uses the Desktop app to close it as soon as they're done to prevent this as most home connections now have meters. (Charter's is 250gb/mo for 30mbit, which I hit 150gb+ some months when I was toying around with AOSP and downloading the entire repo a few times after screwing up a VM or something).

  9. Privacy Last by westlake · · Score: 2, Informative

    Readers of this story will have noticed the links to four of the major social media sites, including Facebook.

    Since the earliest days of USENET and IRC Chat, the geek has a flawless record of making one-on-one communication over the Internet as painful a process as possible for the non-technical user.

    It took the commercial services like Sype to break the spell.

    1. Re:Privacy Last by Bob9113 · · Score: 2

      Since the earliest days of USENET and IRC Chat, the geek has a flawless record of making one-on-one communication over the Internet as painful a process as possible for the non-technical user.

      Don't be facetious. One-on-one communication could be much more painful. In the specific case of secure (ie: end-to-end encrypted) communication, Tox is approaching the theoretical limit of simplicity. Key exchange has a mathematically bound minimum complexity in order to be secure. The reason Skype is not secure is precisely because it is easier to use than Tox.

      Or, slightly differently: Tox is an example of geeks making one-to-one comm as easy as it possibly can be, for the given requirements.

      --
      Stop-Prism.org: Opt Out of Surveillance
    2. Re:Privacy Last by rastos1 · · Score: 2

      Where did you get the idea that USENET or IRC is supposed to facilitate one-to-one communication?

  10. Re:Tox? What happened to BitTorrent Chat? by Anonymous Coward · · Score: 2, Informative

    It's been renamed to Bleep and is in closed pre-alpha testing:
    http://blog.bittorrent.com

  11. it's a great idea with one major flaw by AHuxley · · Score: 2

    Not much the average consumer can do about wire tap friendly products built into tame telco approved hardware and software as offered globally.
    You can code a software layer into your consumer device that offers really good quality encryption.
    The problem is not so much a back door, trap door, just that every letter and number entered on the device is open to hardware logging by default by a gov activated telco layer..
    A person is walking around with a gps becon, live mic, camera and plain text capturing device they 'trust' due to a thin top layer of very good code?
    A one time pad system, air gapped to get the message out? A user no longer has real time joy but is then only offering location, who made the message, where it went, when and all the details about the device that sent the message.

    --
    Domestic spying is now "Benign Information Gathering"
  12. Re:Oh god why. by viperidaenz · · Score: 2

    The only way to stop your IP from being broadcast around the internet is to not use the internet.

    The only way to receive a packet of data is for someone else to know your IP address. Either the entity initiating the send, or some kind of proxy along the way.

    It's how the internet works.

    Please explain how it's a legitimate concern and how to alleviate it.

  13. Re:Oh god why. by Anonymous Coward · · Score: 3, Insightful

    As with nearly everything in life, privacy and security are not all-or-nothing, black-or-white issues - instead it is a set of trade-offs, what do you have to give up in order to get a desired result. It is at least a 2-dimensional spectrum where limiting exposure to the minimum necessary nodes versus any node that takes an interest is preferrable.

    Look at it this way - most people don't have a problem giving their credit card number to a website when they make a purchase but would not find it acceptable to share their credit card number with every website they log in to.

    We know by its existence that onion-routing is one way to minimize IP address exposure. It does not eliminate it, but it drastically reduces the window of exposure. That increased privacy comes at a cost, the question, as it is with all costs, is if the cost is worth it.

  14. Re:Oh god why. by viperidaenz · · Score: 2

    aka http://en.wikipedia.org/wiki/O...

  15. Re:Oh god why. by stephenmac7 · · Score: 2

    He said: or a man in the middle.

    --
    "No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
  16. Re:Oh Great Just What We (Don't) Need by grcumb · · Score: 2

    You have to be seriously insane to even consider trying to do real time video over something akin to Bittorrent.

    A few months ago, I would have agreed with you. But I've been using the PopcornTime app since then, and it reliably delivers HD streams with few if any stutters. There's no reason to believe a single (video+)voice stream wouldn't be possible using a similar approach....

    --
    Crumb's Corollary: Never bring a knife to a bun fight.
  17. Re:Oh god why. by viperidaenz · · Score: 2

    That's where encryption comes in to play when routing data anonymously.