Slashdot Mirror
Ask Slashdot: Are There Secure Alternatives To Skype? (theguardian.com)
How can you make a truly secure phone call? An anonymous Slashdot reader writes:
I have a Windows 8.1 phone and mostly use it for Skype calls and chats. A bit of browsing every now and then, and checking public transportation schedules... What can I do to be able to securely chat and place audio/video calls? What do you think is the best device to buy and what apps to use on it?
Skype for Windows Phone will stop working in 2017, and Skype's privacy was already suspect after Edward Snowden leaked evidence of Microsoft's secret collaboration with the NSA. But are there any good alternatives -- especially for a Windows Phone user? Leave your suggestions in the comments. What are the best secure alternatives to Skype?
Skype for Windows Phone will stop working in 2017, and Skype's privacy was already suspect after Edward Snowden leaked evidence of Microsoft's secret collaboration with the NSA. But are there any good alternatives -- especially for a Windows Phone user? Leave your suggestions in the comments. What are the best secure alternatives to Skype?
There are loads of alternatives to Skype, that offer similar (but not identical) functionality. The one I use is WeChat, not because it is better than the rest, but just because it is what the people I care about use it. It can do the usual things: chat (text etc) and calls (w or w/o video). No doubt there are many others. As for security: surely you are joking? How would these companies operate, if they couldn't get their cold, clammy hands on the info you send?
Why are you people so obsessed with privacy from the government? It's like listening to a batshit crazy cult around here, especially with the earlier story about going off the grid. You people come off like a bunch of nutjobs, paranoid about everything, even when it's completely unwarranted. The government really doesn't care that you listen to really bad music, like viewing gay porn, that you're morbidly obese, eat a ridiculous amount of Cheetos while sitting at your keyboard, and that you'd secretly like to have gay buttsex with your boss. Seriously, you're not that interesting to the NSA or any other three letter government agency. Chill out and let them do their work to catch terrorists, don't draw unnecessary attention to yourself (like by being paranoid), and you'll have no trouble.
Tox is a alternative, no sure if it is ported to windows phone...
https://ring.cx/
Options are plenty. But the point is how you can persuade all your contacts to switch to the niche app of your choice with you.
Simply put, there is no such thing as a truly secure phonecall.
Any "easy" solution coming out of or running through the USA needs to be "insecure" thanks to CALEA - Communications Assistance for Law Enforcement Act - but even if this were not an issue, the endpoints can still be bugged and systems hacked.
You may be able to get a fair part of the way there by setting up your own infrastructure (ie something which runs over a VPN and/or ZRTP) - Maybe look at Silent Circle for an ?easy? partial solution to your woes.
Signal is open source. Use Signal if you want real security.
WhatsApp is closed source but uses the same encryption in Signal. Use it if you need something people already use.
In either case, turn on security notifications and learn what they mean, and verify your contacts by reading out their fingerprint over the voice connection.
Telegram's encryption is kinda broken. Therema's encryption is broken. iMessage only works on iOS and it's slightly broken. I donno if Allo does voice, but you must turn on encryption manually, so it's probably broken if you imagine the user can be tricked.
But if you're not a spy or terrorist, and don't work in R&D for a high tech company, you might not worry too much that there are people who can access your chats with your wife and your mistress. Social network web sites, chat programs and VoIP clients aren't chosen for their technical merits. Use what the people use with whom you want to communicate.
Electroic Freedom Foundation created the Secure Messaging Scorecard to help answer this question. The biggest problem with this scorecard is it mixes desktop and mobile apps together without really indicating which type of app they are. But both Signal and Silent Phone are available for Android and iOS. Either of these might be worth considering as alternatives for the types of things you current use Skype for today.
No there arent. Every single messenger out there sucks in one way or the other. Be it no e2e cryptography, lack of essential features, lack of native clients for certain platforms or combination of all those.
Matrix - mobile and web clients, no native clients for desktop, e2e (axolotl) still not fully implemented. Group chats are first class citizen though. Federated. Opensource.
Telegram - nice clients on all platforms, very questionable security, can not run own server, requires mobile number to register. Server is closed source, cant run own server. Clients are opensource.
Tox - p2p messenger. Group chats are very basic. e2e crypto. Development has stalled. Mobile clients drain battery too fast due to p2p nature of messenger. Opensource.
Wire - e2e (axolotl) crypto, desktop client is electron app that SUCKS. Still lacks essential features, went opensource recently.
Anything else is in hands of companies we do not trust.
My bet is on matrix because it is federated, opensource and protocol is mobile-friendly. Once e2e is done there will be security we need, then we just need a native client. IMHO matrix comes closest to fulfilling secure messenger requirement.
http://alternativeto.net/software/skype/
You mention the need for "secure chat", but don't express "how secure" you would like that to be. As others have posted, if you're connected to the internet (and your question is worded to imply that you're looking at Voice Over IP (VOIP) solutions, then there is pretty much no secure option out there... An Agency like the NSA could record all your data packets and brute-force them pretty quickly, if they so chose.
;)
Having said that, it might be possible for us to brainstorm the sort of attributes that would help to make your VOIP calls less insecure. The collective wisdom of slashdotters might then be able to suggest some alternative products for you to consider. Things to look out for might include:-
1. A solution that uses a central server only for the purpose of establishing the IP address of your chosen call recipient, then allows all communication to that recipient to happen directly, point-to-point. There is no need to route call traffic through central servers (unless you want to listen in). Ahem. Skype.
2. A solution that not only uses the latest approved encryption algorithms, but which makes the swapping of an algorithm a relatively easy process [think user-selectable option, addition of a library file with the algorithm code]. The upgrading of key strength/entropy parameters should be even easier...
3. A solution that includes, within the encryption stream, random white noise padding (to make it much harder to determine the precise amount of data being exchanged) might be nice.
And so on...
I did think about including an option that said, "For each legitimate call channel that you set up using the central register of logged-in users, pick three more logged in users at random and simultaneously exchanged random, encrypted data packets with those users too." Unfortunately, there are multiple issues with that. First, what if one of those random users really was under surveillance by a three-letter-agency. Using the "association" rules, that agency would then start monitoring you *real* closely... and second, running four calls for the cost of one might actually degrade your network/audio performance if you happen to be on a slow link.
Bottom line; there is no easy answer to your question, but please don't consider using Skype and "secure" in the same statement...
Completely P2P and encrypted. See tox.chat
Before Skype was sold to MS, they were working on a way to implement encryption. Guess what the first thing MS ditched after purchasing?
I use Jitsi/XMPP, personally.
There's a piece of software called Mumble, which is free open-source software and you can host your own server if you wish. The encryption is certificate based and very strong. No video by default, though, but I think there was a plugin available even for that.
don't take yourself so damn important, ha ha ha
paranoid wussies
If we could not ask the same questions every month, that would be great.
Version 1.0 https://www.eff.org/node/82654
A new scorecard will be coming out soon https://www.eff.org/secure-mes...
Skype is one of the worst performing ones.
... a length of string. What the heck...
******
Do you have any idea how much your phone company spends each year just on maintenance?
- No, I've never thought about that.
Well, I guess many people don't. But those billions of miles of wire and all those exchanges... Why, just the maintenance on our thousands of offices and buildings... Not to mention our rolling stock: The cars and trucks, the airplanes and satellites...
And then all those fine people who are on the payroll to take care of all that...
Now, wouldn't it be just grand if we could get rid of that old-fashioned hardware.
- What's this about?
There's another thing that's gonna come as a surprise to you. There are quite a few people who actually dislike the phone company.
-Why have you kidnapped me?
And because of this irrational dislike of their own publicly owned company, they often don't pay their bills and sometimes even damage the equipment.
Would you look over here, doctor? Now, to look at that hand, you'd never dream you're also looking at a miracle in communications, would you?
Well, let's take a closer look. Thanks to the science of microelectronics, you are looking at a telephonic receiver and transmitter.
We call it the Cerebrum Communicator or the CC for short. This dandy little device can actually perform every function of the old-fashioned telephone and more.
And it does it without any costly maintenance. Without telephone poles, without wires, without exchanges, without anything in fact, except another CC in another location.
And now you're probably wondering why have we made it so small. Because it will be in and powered by your own brain.
Fantastic? Well, not quite, no.
We merely inject the CC into that part of the bloodstream which leads to the brain. Technically speaking for you doctors, we inject the CC into the internal carotid artery. The bloodstream carries it directly to the cerebrum where it lodges comfortably in the anterior central gyrus, which for us laymen is simply that part of the brain where intellectual associations take place.
Can you imagine the ease, the fun, with which you can place a call? Why, all you have to do is think the number of the person you wish to speak with, and you're in instant communication anywhere in the world.
-Would you like an opinion of a qualified psychiatrist on all that I've just seen and heard?
Yes, sir, I sure would. We're always interested in the opinions of qualified people. I mean, after all it's your phone company too.
-You're a megalomaniac, and The Phone Company is psychotic.
Getting back to our problem: We realize the public has a misguided resistance to numbers. For example, digit dialing.
-They're resisting depersonalization.
And so Congress will have to pass a law substituting personal numbers for names as the only legal identification and requiring a prenatal insertion of the Cerebrum Communicator. Then a tax could be levied and paid directly to The Phone Company.
- It'll never happen.
Well, it could happen if the president of the United States were to use the power of his office to help us mold public opinion and get that legislation.
- And that's where I come in?
Yes, that's where you come in. Because you are in possession of certain personal information concerning the president which would be of immeasurable aid to us in dealing with him.
-Well, you will get not one word from me.
Oh, I think we will.
******
Theodore J. Flicker's "The President's Analyst", 1967. (He also gave us Barney Miller...)
Paranoia about the control and monitoring of Telephone Calls goes back four decades, with as it turns out, some justification.
I just no longer use the telephone any longer. I haven't much of any interest to say, and since most people now seem to know this, they just never bother call me any more.
WeChat is a Tencent product, and Tencent is partially state-owned by the People's Republic of China. So I can guarantee you that anything you do in that program - in fact, probably anything you do in any device with that program installed, or any device linked to your WeChat profile with social media or other links - is going straight to a national surveillance agency. Just not an American one.
That being the case, I have to seriously question the credibility of anybody suggesting WeChat in the context of basically anything.
WebRTC-based services, in the form of e.g. https://meet.jit.si/, are end-to-end secure and decentralised. Not sure if Windows Phone has any browser which supports WebRTC, though.
Elastix.
It works great.
http://www.oovoo.com/
Check out the offerings ISIS and Al-Qaeda has for secure communications. Localization maybe lacking, though. =)
Hardware: Get a BlackPhone. I think Boeing is also offering secure phones for corporate customers as well. Unfortunately Windows Phone is no longer relevant and nobody is writing apps for it anymore.
Software: Use Signal. It supports encrypted messages and phone calls.
Many libs/modules are available that allow you to make a simple chat/video application, including whatever encryption you see fit, even adding some salt to it if necessary. The other party needs the same program. That makes your app even more discreet (by obscurity).
Slashdot, fix the reply notifications... You won't get away with it...
If you run Windows Phone or Windows 10 you should say goodbye to any sort of privacy.
https://www.gnu.org/proprietar...
As of now there are no commercially available smart phones that respect your freedom entirely. Depending on where you draw the line,
your best bets are Replicant or at the very least CyanogenMod without any Google Apps.
F-Droid is a package manager for Android that only contains software that respects your freedom.
I have family in Japan, where LINE seems to be popular.
http://line.me/en/
It is a Japanese company:
http://linecorp.com/en/company...
But it supports English speaking very well, too, and on the major platforms.
Unfortunately not on Linux PC's yet.
Ennetcom messaging.... we know its secure because the Dutch police raided the owner's house with a made-up money laundering charge (claiming that the phone were being resold by criminals to other criminals to launder money). If its bad enough for the Dutch police to ignore Dutch laws (which make private conversations legal, and encrypted communications legal) and try to shut it down by throwing any old shit at the company boss, it must be secure.
NONE of the others listed in the EFF Scorecard were raided or closed by the police, so you can be sure they are all backdoored.
Certainly Blackberry (on which Ennetcom software ran) jizz your private data to anyone with a fax and photocopy of a police letterhead. The rest do too.
If they didn't, then the FBI, Dutch police or similar organization would be trying to arrest the owners as a way to force them to backdoor their product.
As soon as you involve the phone-system, you are compromised. However, you can have a secure voice-chat, with numerous technologies. If you run your own server, something like mumble may serve. Needs a dedicated client, but security is apparently pretty good. Works on Linux.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Use a Web site to set up a WebRTC peer-to-peer session. I like talky.io, which uses peer-to-peer for one-to-one chats. There are many others, and if you don't like them or don't trust them, you could pretty easily build your own.
The security properties of peer-to-peer WebRTC are pretty good:
-- end-to-end DTLS with perfect forward secrecy
-- all protocols involved are IETF standards and have had a decent amount of public security review
-- Firefox/Chromium implementations are fully open source that you can build yourself and run on Windows/Mac/Linux/Android
-- the Web site that sets up the connection could MITM you, but there are many WebRTC sites to choose from and it's pretty easy for anyone to set up more.
I kinda wonder why governments aren't complaining about WebRTC. It's probably just not popular enough yet.
https://github.com/uruk/OneTox
Seems to me they all require the same thing. Everyone you want to communicate with has to use the same format. I remember back in the AOL days when Instant Messaging first came about. Everyone either used Microsoft's or AOL's. Today it's like that with Skype, FaceTime, Hangout's or whatever. Communications is designed so people have to use certain apps and technology. Should we just assume that all of them are a privacy issue?
At least here in Bulgaria, this is easily the most popular one.
There is no way to communicate over a long distance without the potential for interception by some entity. The only way is to create your own encrypted protocol. For the every day Joe that is impossible unless you are a programmer. All mainstream communications platforms today are susceptible to interception including things like TeamSpeak, Ventrillo, Discord, Skype, etc.. Unless you are a career criminal looking to hide drug codewords or something like that then mainstream telecommunications are fine for you and your friends. Agency spying (looking for terrorists, pedos, drugs) is to be expected almost as a bundled service lol. If you are simply opposed to any type of spying simply due to privacy and you're not doing anything wrong I'm afraid to say there aren't any secure coms out there for you. You would have to program your own for your friends and family and even then I guarantee you'll get nailed continually by traffic from agencies trying to crack your platform. That's just the way it is. Even tin cans and string can be tapped into if they really wanted to lol. Nothing is secure, more over, some platforms are actually government funded and heavily tied into systems like echelon, prizm, or whatever flavor of the year spying program they're using these days... and then there's Windows 10 let's not even get started on that trojan horse.
Dutch police close Ennetcom encrypted communications network (April 25, 2016)
The Zephyr tools, popular at MIT in the 1980's and 1990's, were lightweight, stable, and Kerberos integrated. The features added then have proven either so "enhanced" with graphical debris that they are unusable and unreliable, or are founded in L33t Hax0rZ R00lZ fanboy code, written by students who got C's in their course work and spent all their time being L33t instead of actually writing or testing their own software.
The result is Hipchat (Java based. resource sucking and completely unreliable), Twitter (stable and high performing but completely insecure),, a million and one IRC apps all of which have only one person who can actually debug it and their mom keeps refusing to bring them more Cheetos, and a new app every day now as the Dotcom bubble starts re-inflating and napkins show up as business plans again.
How about Telegram? https://telegram.org/
or wire?
wire.com
telegram.org
open source, 'secure'...
During the last week I've been testing Wire (https://wire.com), created by some of the original developers from Skype. The video and audio quality is good, and their focus on privacy is strong. Read their Privacy Policy, and, if it convinces you give it a try. It's a relatively new app, so it still has some bugs. It works in iOS, Android, Mac, and Windows (I don't know about windows mobile support). Good luck!
Use BBM by Blackberry and it's available for Windows phone too.
From what EditorDavid posted above from the anonymous poster... I quote:
What can I do to be able to securely chat and place audio/video calls? What do you think is the best device to buy and what apps to use on it?
Looks to me like the anonymous poster is willing to abandon his Windows Phone so I don't know why the blurb below the poster's quote immediately asked for a solution "especially for a Windows Phone user".
I get the wish for secure phone calls to a certain extent, but the anonymous poster sure doesn't seem to be doing anything that absolutely requires this kind of security. Is it really worth buying a new phone and software packages to try to get secure calls to Mommy when there are so many people with cell phones that any logical person would realize that every call can't be monitored by The Man?
If you want the " telephone " experience where you can call anyone, anytime then probably not. Both you and the one you're calling must use compatible systems before you can consider securing it.
If, on the other hand, you're trying to setup a secure call to a known party then there are ways to accomplish this but requires some prep.
Example. Grab a flavor of VOIP software you like to use. Build a central server running something like Asterisk on it. Lock down your network, ensure the only means to access it is via a VPN. ( means you have to setup a VPN server )
Remote user connects to the local network via VPN ( however strong you want it to be ) and the VOIP client will register with the Asterisk server. When all clients are registered, it is a simple matter to dial their extension when you wish to talk to them. Conference calls, multi-way calling, etc. will be available depending on server and client capabilities.
The entire stream goes over the VPN and can connect from anywhere in the world. Security is based on how strong your VPN is so plan accordingly.
The weakest link will be the hardware running the VOIP softclient. Best to use something like an Ipod touch or other non-phone based unit.
If you have the Vonage VOIP service, you can use the One World app to make calls over Vonage.
Signal is currently the best solution for secure messages and phone calls. It's an app for Android and iOS, and Chrome has an extension to sync your messages to a desktop chat. But it communicates between phone numbers of course, so if that's not what you want then it's a bit trickier.
The best totally anonymous desktop messaging protocol I am aware of is Pidgin (Windows, Linux) and Adium (macOS) using the "Off-The-Record" extension. I don't know if there's any good solutions for video chat.
What difference does it make? Windows on mobile phone is dead. It is just decaying in plain sight, rather than being buried - but dead it is.
Windows Mobile also supports Viber and Oovoo for VOIP calls. Would like to hear other people's experiences with those.
..for video/audio calls and other similar communications is heavily encrypted endpoint-to-endpoint VPN traveling though ports that won't get blocked.
Wire offers messaging and audio-video communications. I think one of the main developers was a developer for Skype before Microsoft brought it and left after they were brought by Microsoft.
So I literally use Twitter and a dedicated one time pad. The issue then is not who can see it, but rather, who can decrypt it. The one time pad is as random as random can be, and only with access to the matching pad can it be decrypted.
If you think you can hide any communication, you are deluding yourself. Always make the assumption that anything you transmit can be read globally.
With the one time pad, a non networked device compresses and encrypts the data and then it is sneaker netted to a system with twitter access, uploaded and I simply await the reply.
Actually I'm looking for a good secure / encryption strong tool that works on Linux and Windows, even better if it can do Android. Any Suggestions?
The messaging infrastructure called matrix (matrix.org), could be viable alternative. It appears to be a new federated messaging service that's trying to learn from the problems that XMPP faced. That being said, you can run a private server and not federate. There's a presentation from Jardin Entropique that talks about the privacy and security issues associated with these kind of messaging services here:
https://matrix.org/~matthew/2015-06-26%20Matrix%20Jardin%20Entropique.pdf
Does your ISP also fail at IPv6? I've read about a lot of ISPs giving each subscriber his own /56 on IPv6 and using carrier-grade NAT only on IPv4. This technique is called DS-Lite (not to be confused with a Nintendo product).
Offers end-to-end encryption without a man-in-the-middle listener. Uses open industry standard, FIPS 140-2 certified, 256-bit AES encryption on all control and media traffic. The 256-bit AES session key is only available at endpoints, thus not even Vsee themselves can decrypt the traffic. Check out more at: https://vsee.com/security
I have been using Vsee for last few years and consistently found it way more robust and tolerant of network and bandwidth issues then any other video application - including connections to high latency destination over mobile/wireless links.
Primarily designed for healthcare, it is extensively used in remote locations with such as Africa.
Free, lightweight and without any intrusive advertisements, I am not sure why it does not get more recognition.
That logic is brilliant.
Sorry, but if you care about privacy, using a proprietary OS is a non-starter. You simply MUST use an open-source operating system. The idea of security on Windows or IOS is absurd. These companies can insert whatever backdoors they wish at any time, and you have no way of knowing or doing anything about it. This isn't a matter of my-platform's-better-than-yours, it's simply the fact that proprietary software and security are not compatible.
There are ways to encrypt.
https://whispersystems.org/
Use anything by Open Whisper Systems.
--Edward Snowden, Whistleblower and privacy advocate
This is akin to the "Ask Slashdot: What torrent sites do YOU use?" fishing expedition.
https://yro.slashdot.org/story/16/08/05/0329246/popular-bittorrent-search-engine-site-torrentzeu-mysteriously-disappears
>Skype's privacy was already suspect after Edward Snowden leaked evidence of Microsoft's secret collaboration with the NSA.
Misleading here. You can't tie the fact that Snowden exposed the NSA/CIA/FBI to merely "Skype is suspect". Slashdot FBI you are all a bunch of homosexual rookies, adept only at butt fucking your mom's faces.
Skype was purchased by Microsoft, Skype is therefore Microsoft. Microsoft spies for the CIA/NSA so therefore Microsoft is CIA/NSA.
Do you use CIA/NSA Windows 10 ANNIVERSARY? Do you not get this yet? Did you not get the memo Microsoft sent out saying we will spy on you every way possible now, or could it be they just didn't tell you?
Skype is like this... your kid runs behind you naked it is leaked to child porn world... which the FBI is in charge of.
http://thenextweb.com/insider/2016/01/28/how-the-fbi-became-the-worlds-largest-distributor-of-child-sex-abuse-imagery/
They also hijack sites like Slashdot and kill people in the way. EditorDavid was killed by the CIA though... but the FBI killed Ian Murdock of Debian Linux. He was in the way and they took the quickest route. Debian was a very mature Linux... accepted widely by home users and even on other devices like QNAP Network Attached Storage (NAS)'s etc. They wanted this backdoor more than the San Bernadino shooter's iPhone password believe me. What you have now is fully backdoored Debian Linux.
They put it all over .onion so you can somehow "discover this profound elite source" as they did with new compromised versions of Tails. (anything 1.5 or later). Most recent news about FBI / Debian involvement is here:
http://distrowatch.com/dwres.php?resource=showheadline&story=1088
Also.. VERY IMPORTANTLY: http://distrowatch.com/dwres.php?resource=showheadline&story=1137
The Debian distribution has announced an upcoming change in the way it handles the GNU Privacy Guard (GnuPG) package, notably a switch to GnuPG's "modern" branch (currently version 2.1.x). Although the transformation will be transparent to most of us, active GnuPG users as well as developers creating Debian packages that depend on GnuPG will have to pay attention as the switch might affect them: "If you're an end user and you don't use GnuPG directly, you shouldn't notice much of a change once the packages start to move through the rest of the archive. Even if you do use GnuPG regularly, you shouldn't notice too much of a difference. One of the main differences is that all access to your secret key will be handled through gpg-agent, which should be automatically launched as needed. This means that operations like signing and decryption will cause gpg-agent to prompt the user to unlock any locked keys directly, rather than gpg itself prompting the user." See this blog post by Daniel Kahn Gillmor explaining the differences between the three GnuPG branches and also providing a list of features of the "modern" GnuPG.
See this comment: https://yro.slashdot.org/comments.pl?sid=9485881&cid=52651539
You want to fucking get everybody who downloads Count Dracula arrested for 30 years? Take away their livelihood because their daughter downloaded Taylor Swift mp3's? Guess what Dice you low down scum bitches.
Registry Registrant ID:
Registrant Name: Host Master
Registrant Organization: SourceForge Media, LLC
Registrant Street: 1660 Logan Avenue Suite A
Registrant City: San Diego
Registrant State/Province: CA
Registrant Postal Code: 92113
Registrant Country: US
Registrant Phone: +1.8584545900
It is not Tucows in Chesterfield, MO like it is preferred suddenly to state on WHOIS.
Trust nothing by Open Whisper Systems. Do not even click that link.
So you plan to reach out to one of the dozen or so Windows Phone users by finding them on slashdot?!
Most linux users don't know this, but the man pages were named after Chuck Norris. Chuck Norris fsck'ing hates noobs!
All day - Tox. But of course this post will be buried and not read.
Tox solves everyone of your problems and concerns.
The best I've found so far is "Wire".
Everything, be it text/video/voice/phone/doodle is encrypted (End to End).
The voice calls are amazingly clear and the video chat is pretty clean.
It's like Telegram tried to turn itself into Skype.
Duo son.