×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

More Skype Back Door Speculation

CmdrTaco posted more than 5 years ago | from the i'm-your-backdoor-man dept.

Communications 210

An anonymous reader writes "According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

210 comments

Open source VoIP alternatives? (3, Interesting)

vertinox (846076) | more than 5 years ago | (#24348273)

I don't use Skype (or VoIP for that matter) but I would be curious if anyone knows of any alternatives that is completely open.

Re:Open source VoIP alternatives? (2, Informative)

deadcrickets (1307745) | more than 5 years ago | (#24348299)

gizmo

Re:Open source VoIP alternatives? (4, Informative)

lindi (634828) | more than 5 years ago | (#24348375)

http://en.wikipedia.org/wiki/Gizmo5 [wikipedia.org] says that the client is proprietary software. Are you talking about some other client with the same name?

Re:Open source VoIP alternatives? (4, Informative)

WhatAmIDoingHere (742870) | more than 5 years ago | (#24348563)

From the wikipedia link you gave:

"Unlike its competitor network Skype, the Gizmo5 network uses open standards for call management, the Session Initiation Protocol and Jabber."

Re:Open source VoIP alternatives? (5, Informative)

rubycodez (864176) | more than 5 years ago | (#24348601)

using an open standard is not the same thing as being "open source" or "completely open"

Re:Open source VoIP alternatives? (2, Interesting)

stinerman (812158) | more than 5 years ago | (#24348797)

Granted, but Gizmo5 is only a software program that interfaces with the SIP-based network. You can (and I have) used Ekiga as the software front-end that works with an account.

The only downside is that there isn't any encryption, so it'd be pretty trivial to bug.

Re:Open source VoIP alternatives? (1, Informative)

Anonymous Coward | more than 5 years ago | (#24348585)

The Gizmo5 client is proprietary, but it uses open, standard, protocols (including encryption by SRTP).

Of course if you want to go open source there are a lot of SIP clients available (on Windows and Linux anyway, less so on OS X). Twinkle ( http://www.twinklephone.com ) looks pretty good, i just wish is was cross-platform.

Re:Open source VoIP alternatives? (5, Informative)

Naughty Bob (1004174) | more than 5 years ago | (#24348323)

I don't use Skype (or VoIP for that matter) but I would be curious if anyone knows of any alternatives that is completely open.

I asked the internet, she donned her Stupomitron Helmet, et voilà [wikipedia.org]

Re:Open source VoIP alternatives? (4, Informative)

The Cisco Kid (31490) | more than 5 years ago | (#24348557)

An alternative to what? To Skype? To the PSTN? Software running on a PC is always going to be a poor solution, and is far from your only option for Internet voice communication. You do NOT need some app on your PC to do VoIP. What you want is something called an ATA - its a little box that has a jack for a regular phone, and an ethernet port. They are often supplied with service such as Vonage, but are usually 'locked' down to that provider. You can also but them directly, but you will of course still need 'something else' to initiate SIP connections to. For information about real VoIP networks (both net-to-net, as well as PSTN interconnection), visit voip-info.org

Re:Open source VoIP alternatives? (1, Troll)

Standard User 79 (1209050) | more than 5 years ago | (#24349097)

Nothing wrong with Skype, it is by far one of the best solutions available. Anyone who has actually dealt with sip and nat knows it is a complete mess. Skype also has an excellent set of codecs that can provide superior audio quality but also handle packet loss/jitter etc..

Re:Open source VoIP alternatives? (5, Funny)

computer_guy57 (998179) | more than 5 years ago | (#24349131)

Nothing wrong with Skype,

Except that it might have a backdoor... which was kind of the point of this article in the first place.

Re:Open source VoIP alternatives? (3, Interesting)

NormalVisual (565491) | more than 5 years ago | (#24349251)

The thing is, I'd imagine any agency that can get a warrant to use the backdoor in Skype can also get a warrant to examine your net connection for voice traffic. VoIP implemented over SIP/RTP is quite easy to listen in on if you have access to the entire bit stream since practically nobody encrypts the RTP stream.

Re:Open source VoIP alternatives? (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24349375)

Nothing wrong with Skype,

Except that it might have a backdoor... which was kind of the point of this article in the first place.

So what? What could anyone ever learn from listening to Skype conversation? Two homos setting up a date to jack off together? Not exactly a state secret.

Re:Open source VoIP alternatives? (5, Insightful)

FriendlyLurker (50431) | more than 5 years ago | (#24348817)

Two words: Network Effect [wikipedia.org]. All the alternatives I have reviewed are harder than skype. Harder to download, setup, use, the list goes on.
Result: Skype is popular - they nailed delivery to the "masses". No screwing around with the microphone, NAT/firewalls, SIP providers, names etc etc. The average joe can just download and install it in just two url clicks, type in a name and begin to use it. Done deal.
All the open source VOIP (most of them SIP) I have seen completely miss this most important point, and so all their development effort is ultimately wasted - walled themselves off to the technically proficient crowd and not benefiting from the network effect.

Re:Open source VoIP alternatives? (4, Informative)

Naughty Bob (1004174) | more than 5 years ago | (#24348947)

I found Ekiga pretty straight forward to get working. Not two clicks, for sure, but you are led through all the necessary steps by the nose.

And the network effect no longer applies if Ekiga users can call Skype users (And they can [tmcnet.com]).

Re:Open source VoIP alternatives? (1)

kwark (512736) | more than 5 years ago | (#24349079)

The couple of SIP providers I toyed with provided a preconfigured (windows) program, no need to screw with settings other than asking the users name/passwd on initial run (not that I tried those since I let my local Asterisk server connect to them, but my experience is that using a stun server solves normal connection problems).

An other easy way to prevent RTP connection problems is for the SIP provider to remain in the mediapath (which is a nice MIM vector for snooping).

Re:Open source VoIP alternatives? (3, Informative)

Tsuroerusu (775881) | more than 5 years ago | (#24348429)

I don't use Skype (or VoIP for that matter) but I would be curious if anyone knows of any alternatives that is completely open.

For Linux there's a decent program called I Hear You (IHU), very simple program, GPL-licensed etc., you can find it at http://ihu.sourceforge.net/ [sourceforge.net]

Re:Open source VoIP alternatives? (2, Informative)

Kent Recal (714863) | more than 5 years ago | (#24348509)

VoIP/SIP is open.
You only need a client [voip-info.org] and an account with any of the free SIP providers. Or you setup asterisk (or another free PBX software) and become your own provider.

The problem with SIP is that few people actually use it whereas skype is everywhere.

Re:Open source VoIP alternatives? (4, Informative)

raju1kabir (251972) | more than 5 years ago | (#24348609)

The problem with SIP is that few people actually use it whereas skype is everywhere.

Several orders of magnitude more daily minutes are done with SIP than Skype. SIP is used for corporate networks and calling card providers and lots of other situations.

Re:Open source VoIP alternatives? (3, Insightful)

TheRaven64 (641858) | more than 5 years ago | (#24348677)

Very few people on the Internet use it. Most SIP usage is either on private networks (e.g. intra-company) or bridged to POTS at the far end.

Re:Open source VoIP alternatives? (1)

Kent Recal (714863) | more than 5 years ago | (#24348737)

Well, the SIP protocol is used more, yes. And it's gaining ground as more and more ISPs (at least here in europe) are offering VoIP along with internet access instead of landline + internet access.

In this case I was referring to the skype standard use-case, though. That is: end-users making calls with a softclient. AFAIK Skype is still the 900# gorilla in this segment, simply because everybody knows "Skype for calls" (akin to "Google for search") and hardly anyone bothers to look beyond.

Re:Open source VoIP alternatives? (1)

LostCluster (625375) | more than 5 years ago | (#24348573)

Servers and bandwidth cost money. Sorry, no way OSS can solve this on its own.

Re:Open source VoIP alternatives? (2, Informative)

pushing-robot (1037830) | more than 5 years ago | (#24348793)

VOIP is peer-to-peer. A server is only used for matchmaking, and bandwidth is minimal.

Besides, OSS != guy in basement. Mozilla, Canonical and Red Hat somehow manage to pay for a few servers and a bit of bandwidth.

Re:Open source VoIP alternatives? (2, Insightful)

Anonymous Coward | more than 5 years ago | (#24348593)

If you think of alternatives, you'd expect them to fulfill the same specifications. One of the specifications when switching off the Skype is being able to actually contact other people. Try talking the Average Joe about ie. Ekiga, open source VOIP client. What will happen? You will get that sheepish look and question: "Why would I install that, I already got Skype. BESIDES EVERYONE I KNOW USE SKYPE AND I COULDN'T CALL THEM ANYMORE".

Such are network effects. There is no alternative for Skype for the specific reason. The alternative should be 100% Skype protocol compatible. (Good luck with that, with the patented codecs alone.)

Re:Open source VoIP alternatives? (1, Informative)

Anonymous Coward | more than 5 years ago | (#24348655)

freeswitch.org does SRTP/TLS so even with voip you can have it encrypted. It can also do passthrough which would let things like phil zimmermans ZRTP do its magic.

In addition I am working on a pstn encryption system primarily designed for mobile phones, but I plan on writing a freeswitch module to make it work for pstn links as well.

If you ever use a server you do not control you run the risk that those who do control it will get a warrant and not inform you of such (often warrants come with gag orders attached, even subpoenas do). If you control it you will be able to (usually) detect downtime and installation of weird software you dont recognize (or you are unqualified to run the system :)

Re:Open source VoIP alternatives? (1, Insightful)

daveime (1253762) | more than 5 years ago | (#24349023)

Why must EVERY conversation on privacy boil down to a few tired questions about "open source" alternatives ?

What, like if the source code is open, then that will prevent backdoors ? Erm hello, the client software isn't the problem, it's the network of Skype servers the bloody data passes through that is the weak point in the equation.

So who do you trust more with your privacy ? A multi million dollar company, or some nerd in his moms basement, acting as a VOIP connectivity server. In my case, I'd chose option "none of the above", but really ... open source is not the answer to ALL the worlds ills.

Re:Open source VoIP alternatives? (5, Insightful)

vux984 (928602) | more than 5 years ago | (#24349241)

Why must EVERY conversation on privacy boil down to a few tired questions about "open source" alternatives ?

Because open source alternatives shouldn't have backdoors. And if it does they can be identified and closed. The only reason the conversation is tiresome is because proprietary software seems to have a perpetual stream of backdoors that keep keep bringing it up.

What, like if the source code is open, then that will prevent backdoors ? Erm hello, the client software isn't the problem, it's the network of Skype servers the bloody data passes through that is the weak point in the equation.

Nobody intelligent is asking for an oss skype client. They are asking for an oss replacement to the entire skype service. For precisely the reason you stated.

So who do you trust more with your privacy ? A multi million dollar company, or some nerd in his moms basement, acting as a VOIP connectivity server.

If that nerd is just hosting as a connection service, and the voip data stream itself is end-to-end encrypted and is actually transmitted directly to the recipient, then I trust the nerd in the basement more, because he never even sees the stream, and even if he did, its encrypted.

At least as long as I know I'm -really- using the public key of the called party to encrypt it, that is. But that is biggest weakness of almost all internet uses of encryption.

In my case, I'd chose option "none of the above", but really ... open source is not the answer to ALL the worlds ills.

Not all of them. But it is the answer to this one.

Re:Open source VoIP alternatives? (5, Informative)

TheRaven64 (641858) | more than 5 years ago | (#24349391)

Because something like this will be audited if at all possible. Skype is closed, the binary is encrypted, it auto-exits in the presence of debuggers, and does various other things to prevent reverse-engineering. And, still, someone at BlackHat took it apart and found a remote vulnerability. If it were open source and popular, a lot more people would be poking it for holes.

More important than open source, here, is open standards. In an open standard, lots of cryptographers will look at the protocol for holes without considering the implementation details, and lots of others will look for holes in specific implementations. Implementation-related holes (such as the heap-overflow exploit in Skype) will not affect as many people, because there will be competing implementations and not everyone will be locked in to a single provider. If the hole is in the protocol (and allowing a midpoint to intercept the conversation is a hole in the protocol) then it is more likely to be found if the protocol is subject to peer review, which things like SRTP (which SIP can run on top of) have been.

Re:Open source VoIP alternatives? (2, Informative)

Jorophose (1062218) | more than 5 years ago | (#24349029)

Zfone?

Encrypted calls > Ekiga.

Sorry, I love Ekiga myself, especially since it has video, but I don't want to be eavesdropped on. Which is why until Ekiga incorporates Zfone's SDK, it's Zfone all the way. The software is "open source", like PGP is "open source", but the libs and the SDK are GPL. For the program, they won't accept your contributions, and I'm not too sure if they will for the libs, either; I guess it's mostly to keep it untampered, but they should be accepting contributions for the libs and SDK...

Their encryption is pretty cool. Even the "basic" encryption works great; and the "extra" stuff is mostly just reading out a passphrase.

Re:Open source VoIP alternatives? (0, Troll)

westlake (615356) | more than 5 years ago | (#24349239)

I don't use Skype (or VoIP for that matter) but I would be curious if anyone knows of any alternatives that is completely open.
.

It doesn't matter if the alternatives are "completely open" if no one but the geek is using them. You might as well be a kid playing in the yard with two tin cans and a length of string.

Re:Open source VoIP alternatives? (1)

grumbel (592662) | more than 5 years ago | (#24349381)

When it comes to conference calls I found Mumble (open source) and Teamspeak (non-free, but has a Linux version) far superior to any of the classical VoIP software out there. For normal phone-like calls Ekiga is good enough, but overall I prefer text chat in combination with Mumble/Teamspeak.

Skype is FISA and CALEA compliant! (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24348275)

I am the first one to beat everyone to the punch!

*knock knock* (0)

Anonymous Coward | more than 5 years ago | (#24348279)

Hello, its us, the FBI! Just checkin' out all the phones in the neighborhood. Keep your nose clean, kid.

frist psot! (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24348291)

i heard this listening in to taco's skype

Re:frist psot! (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24348309)

I heard it while buggering cmdrtaco's backdoor.

Jef "Hemos" Bates

--
I like cheese.

Quite reassured (1)

Adreno (1320303) | more than 5 years ago | (#24348305)

Let me be the first to say that I'm rather reassured by their stance: "Skype does not comment on media speculation. Skype has no further comment at this time." Phew! Because outright denial would be risky...

Decode the protocol? (2, Interesting)

forrie (695122) | more than 5 years ago | (#24348307)

Has anyone made attempts at decoding the SKYPE protocol. This would take some clever reverse engineering of the code and some clever wire sniffing.

I wonder if it would be possible to inject an encryption layer underneath what their service provides.

On a legal note, in the US, could consumers who purchased SKYPE products sue SKYPE.

Chances are pretty good that if this backdoor exists, it has for a long time.

Re:Decode the protocol? (5, Interesting)

mrogers (85392) | more than 5 years ago | (#24348467)

The code is heavily [recon.cx] obfuscated [recon.cx] to prevent reverse engineering (encrypted code, checksums, debugger detection, all kinds of fun).

Brought to you by closed source (4, Insightful)

Bromskloss (750445) | more than 5 years ago | (#24348315)

Unless you think it's a good thing that some people can snoop on others conversations, this should be a really good reason to embrace free software.

Re:Brought to you by closed source (4, Insightful)

Opportunist (166417) | more than 5 years ago | (#24348611)

You know that as soon as some really unbreakable OSS project takes the place of skype, someone will jump up and claim that OSS is promoting terrorism since it keeps the feds from snooping at you?

What's scary is that a lot of people will nod their head and agree...

Re:Brought to you by closed source (1)

eebra82 (907996) | more than 5 years ago | (#24348699)

You know that as soon as some really unbreakable OSS project takes the place of skype, someone will jump up and claim that OSS is promoting terrorism since it keeps the feds from snooping at you?

But how will they stop open source? If the feds pulled a move like that, it would be pretty much like the DRM case, where the music industry does so much to prevent us from using non-DRM. Ultimately, however, it will never succeed because they will always be outmanned.

Re:Brought to you by closed source (2, Interesting)

andymadigan (792996) | more than 5 years ago | (#24348949)

I'm pretty sure it would be trivial to set up a PC to PC voice connection, even with just openssh, assuming the microphone and speaker are both "files".

I'd imagine on both sides the command would look like this:

ssh joe@someplace.net 'cat > /dev/snd/out' < /dev/snd/mic

Obviously I don't know the exact device name, and you might have to use some other program to read in from the mic and such. IF the connection is slow/choppy, use speex. You should still even be able to do it from the command line, assuming the speex encoder streams.

The point is, and I'm sure you know this, there are already OSS programs capable of setting up the whole connection, so skype being buggable just makes it easier to spy on people who aren't as concerned about their privacy and/or deal with people who aren't.

On another note, isn't it possible that the official was only talking about skypeOut calls? Surely bugging a call over PSTN coming from skype is no different than any other PSTN call, and they don't need to break skype to do it.

And, as demonstrated above, there are far more secure ways to do PC2PC than skype.

Re:Brought to you by closed source (1)

TechyImmigrant (175943) | more than 5 years ago | (#24349117)

Open or not, you can't provide a VoIP-POTS switch service as Skype do, without running into the LI (Lawful Intercept) laws that scatter the world.

Re:Brought to you by closed source (2, Funny)

g0at (135364) | more than 5 years ago | (#24349167)

You're promoting terrorism because you're making a stupid "you know that as soon as X happens, people will say Y" doomsaying remark.

There, saved some time.

Re:Brought to you by closed source (0)

Anonymous Coward | more than 5 years ago | (#24349235)

I am tired of this. Point to where the US government said that trying to hide your info is helping terrorism?

A big guy, that the hated border cheek guy.

Capacha: ceases

Re:Brought to you by closed source (2, Insightful)

Chryana (708485) | more than 5 years ago | (#24348703)

I'm not saying snooping on my calls is a good thing. However, I don't think free software is the answer here. I make calls from my computer to a land line, how can I prevent my provider, Skype or not, from eavesdropping on my conversations? You don't expect me to convince all my contacts to start using their computer to receive calls, do you?

Re:Brought to you by closed source (1, Interesting)

Anonymous Coward | more than 5 years ago | (#24349275)

You don't expect me to convince all my contacts to start using their computer to receive calls, do you?

Actually, I think the popularity of skype suggests exactly that.

I'd like to see some numbers of how many skype calls are skype-to-skype, and how many involve the phone system.

Re:Brought to you by closed source (1)

DriedClexler (814907) | more than 5 years ago | (#24349281)

I'm not saying that having to communicate by telegraph is a good thing. However, I don't think telephones are the answer here. I make a call to someone without a phone, how do they get the message? You don't expect me to convince all my contacts to start using a phone to receive messages, do you?

Re:Brought to you by closed source (1)

scott_karana (841914) | more than 5 years ago | (#24349037)

This is exactly the reason I embrace free software.
Unfortuntately, the Debian project let me down with its OpenSSL fiasco.
I'm not sure WHERE I stand, now.

Get your spelling right! (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24348353)

The country is called AustraLIA not Austria!

Re:Get your spelling right! (1, Funny)

Anonymous Coward | more than 5 years ago | (#24348447)

i always hate the people who mix up the austrian kangaroo with the australian schnitzel.

Re:Get your spelling right! (2, Funny)

TapeCutter (624760) | more than 5 years ago | (#24348713)

"i always hate the people who mix up the austrian kangaroo with the australian schnitzel"

Speaking as an Aussie there are lots of locals who still manage to confuse "The sound of music" with Guy Sebastian.

Re:Get your spelling right! (1)

Opportunist (166417) | more than 5 years ago | (#24348673)

Oh, I can reassure you, Austria [wikipedia.org] exists. It didn't between 1938 and 1945, but that's a different matter.

Austria even has a very interesting TLD. .at

Re:Get your spelling right! (0)

Anonymous Coward | more than 5 years ago | (#24348731)

Are you sure that Austria is a country on its own? Isn't it a part of Germany?

Disassembly anyone? (2, Insightful)

erroneus (253617) | more than 5 years ago | (#24348361)

I know it's tedious work, but some people actually seem to like it. Isn't it time that people disassemble these suspected binaries in order to issue a report on the matter? Not only on Skype, but on many other suspected programs, libraries and operating systems?

Re:Disassembly anyone? (4, Informative)

caluml (551744) | more than 5 years ago | (#24348417)

I read a good presentation by people that had tried to disassemble Skype, and basically, Skype do so much to make it very, very difficult. Here's a PDF version [blackhat.com] of it.

If it was easy, someone would have done it by now, and made Gnype, don't you think?

Re:Disassembly anyone? (1)

MPAB (1074440) | more than 5 years ago | (#24348591)

If it was easy, someone would have done it by now, and made Gnype, don't you think?

Gnype ... the writing makes me think of the Skype from Soviet Russia.

Re:Disassembly anyone? (4, Insightful)

erroneus (253617) | more than 5 years ago | (#24348625)

I don't think competitive code is as much of a threat as simply knowing what the code does is a threat.

I have read through a good portion of the PDF and I agree that the analysis of the breakdown and all of the measures Skype makes to conceal what it's doing are both impressive and worrisome. I suppose, perhaps, an alternative measure might be for some sort of "computing trustworthiness" scale to be created where the worst offenders (like Skype) are ranked as "potentially dangerous" until they [Skype] clears the matter up.

I suppose in the presence of such a [subjective?] scale, there would be a huge list of programs and applications deemed to be offensive in this way, but perhaps a black list such as this could be useful in attempting to get software a bit more open than it is today? After all, if you could cite an application as "2 out of 10" on the trustworthiness scale as a reason not to purchase, people might begin to take notice. I think a scale like this, whether subjective or not, would enable the technically uninterested to read these 'executive summaries' of information and make better decisions -- making it easier for the public to make more informed choices.

Would lawsuits result? Of course. But the lawsuits against RBLs once happened frequently before people decided it was better to just take measures to stay off the lists. Consumer Reports once found itself at the receiving end of legal actions and demands (and probably still does) but in the end, it's worth the effort they make as they are generally accepted as a trustworthy source. We need a Consumer Reports for software that exposes the privacy and security concerns that different software poses.

I know this stuff about Skype has given me reason to pause, but that's just me... I can sort of read and understand most of what I read here. But how about the rest of the uninformed? How can we get the point across to them?

Re:Disassembly anyone? (1)

seyyah (986027) | more than 5 years ago | (#24348707)

If it was easy, someone would have done it by now, and made Gnype, don't you think?

Why? Don't you think they could get away with sKype or even just Kype?

Of course it is not a problem! (1)

VincenzoRomano (881055) | more than 5 years ago | (#24348381)

As it is not for any other telco.
Especially when one of the parties is behind a firewall, the Skype servers are needed for the communication and in some place there, it gets unencrypted.
Real P2P encrypted voip communication (a-la Bit Torrent), would make it very difficult to eaves drop the communication.

Re:Of course it is not a problem! (1, Troll)

OolimPhon (1120895) | more than 5 years ago | (#24348505)

Skype *is* P2P. I installed it last year to talk to my son, who travels a bit. Discovered it was bloated and slugged my machine, so got rid of it. However, since then I get all kinds of IPs from all over the world battering against my firewall, specifically trying to connect to the port I allocated Skype. I reckon Skype only uses central servers for the initial setup, then uses P2P for all further activity. It's leeching *your* processor and bandwidth!

Re:Of course it is not a problem! (1)

fluch (126140) | more than 5 years ago | (#24348631)

"It's leeching *your* processor and bandwidth!" ... I don't share this observation. It is running on my linux box since the days I had a Pentium III and it never took much computing power, especially while ideling. Rarely I notice on my network monitor a 10kbit/s transfer when my skype client serves as a relay for two other skype clients which cannot communicate directly. That is basically all...

This is an absolutely clueless comment (0)

Anonymous Coward | more than 5 years ago | (#24349291)

Topology of the connection has nothing to do with its end-to-end security.

Encrypt (1, Interesting)

Anonymous Coward | more than 5 years ago | (#24348411)

PGPhone -- encrypt encrypt encrypt. Won't protect you against NSA-level shit, but it will at least get the petty bureaucretins out of the way.

Re:Encrypt (1)

ettlz (639203) | more than 5 years ago | (#24348691)

You really think that there exists a practical attack on PGP-based cryptography?

Are you a politician?

Does skype like back door action? (5, Funny)

mseidl (828824) | more than 5 years ago | (#24348477)

Lets find out...

Do I have a volunteer from the /. audience that wants to bed Skype and see if it's a back door kind of program?

Re:Does skype like back door action? (0)

Anonymous Coward | more than 5 years ago | (#24348665)

Its true.. Skype does.. I took one for the team.. pictures available at http:skypse.cx/ [skypse.cx]

Re:Does skype like back door action? (1)

Oh no, it's Dixie (1332795) | more than 5 years ago | (#24348685)

Well, the closed-source part might make it difficult to check for the whole back door thing. If Skype was open-source, though, I'd definitely be reading it's code, if you know what I mean.

Any idea why mods are calling parent insightful?

No possible way to disprove the claim (2, Interesting)

fluch (126140) | more than 5 years ago | (#24348481)

With closed source and closed protocol specifications there is no way to disprove the claim of an existing backdoor. Regardless of wether there really exist a backdoor or not. Simple but true and it is the drawback of wanting to provide security in a closed source environment.

Re:No possible way to disprove the claim (2, Informative)

jackchance (947926) | more than 5 years ago | (#24348987)

From Skype.com [skype.com] :

Is Skype secure?
Yes. When you call another Skype user your call is encrypted with strong encryption algorithms ensuring you privacy. In some cases your Skype communication may be routed via other users in the peer-to-peer network. Skype encryption protects you from potential eavesdropping from malicious users.

Why are Skype calls encrypted?
Skype is encrypted end-to-end because it uses the public internet to transport your voice calls and text messages and sometimes these calls are routed through other peers. Skype encryption ensures that no other party can eavesdrop on your call or read your instant messages.

What type of encryption is used?
Skype uses AES (Advanced Encryption Standard) also known as Rijndael which is also used by US Government organizations to protect sensitive information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates.

So if there is a backdoor, there site is lying, and i can smell a classaction.

Re:No possible way to disprove the claim (0)

Anonymous Coward | more than 5 years ago | (#24349365)

Skype encryption ensures that no other party can eavesdrop on your call or read your instant messages.

Skype Monitoring & Staying Anonymous (4, Insightful)

Anonymous Coward | more than 5 years ago | (#24348485)

All you have to know to monitor someone's Skype is their password. Login with Skype on another machine, set status to invisible. Anything they type or receive in chat you receive.

1. For IM: Jabber (non-US server) + OTR Plugin + Tor.
2. For everything else (email/vpn/storage) services as provided by www.xerobank.com will do you good.
3. TrueCrypt Full Drive Encryption. (Check your local laws - under Dutch law they cannot force me to give up the passwords ... and we don't do waterboarding here) (I hope)

Re:Skype Monitoring & Staying Anonymous (1)

kyjl (965702) | more than 5 years ago | (#24348883)

If anybody else knows your password it's your own damn fault, not Skype's.

I'm not defending Skype (even though I use it, albeit rarely) but seriously you've got to find another reason to bash Skype besides a very common security problem that affects just about everything else on the planet.

If they can listen in, then there is a backdoor (1)

gweihir (88907) | more than 5 years ago | (#24348491)

The encryption problem has been solved, also in such a way that nobody can listen in, not even the service provider. If anybody can listen in, it is either by hacking the source or target computer (difficult, maybe iollegal and may fail) or by a backdoor in the protocol. They can deny all they want, the backdoor is there. That also means that Skype is unusable for any kind of confidential conversation, as there are enough scum in the intelligence community that are allowed to do industrial espionage (the US and France comes to mind).

Just hack DNS (0)

Anonymous Coward | more than 5 years ago | (#24348495)

Yeah, they've figured out how to hack the DNS for skype.com and redirect the traffic :-p

Real VoIP (1)

The Cisco Kid (31490) | more than 5 years ago | (#24348523)

Skype is closed proprietary crap. Real VoIP is about open standards and interoperability. Check out Asterisk, OpenPBX for server software. For client-end stuff, skip the PC soundcard crap and get a real ATA, even a basic Sipura SPA-2000 is better than some crap closed application running off a PC soundcard.

that's not a surprise (4, Insightful)

speedtux (1307149) | more than 5 years ago | (#24348547)

You can be sure that these people are also trying to:

  • get backdoors into Ethernet firmware and BIOSes
  • get backdoors into routers and other infrastructure
  • get backdoors into commercial software
  • get backdoors into open source packages

You can be equally certain that they are not doing it right and that the backdoors they are trying to put in make your system less secure.

Running open source software is your best bet, but even there, you aren't completely protected.

Of course it's bugged. (4, Insightful)

TomatoMan (93630) | more than 5 years ago | (#24348575)

Assume all communication that uses any kind of monitorable infrastructure is bugged. The capacity is there, and the desire is there.

It is the way of things.

Of course it's bugged. So what? (-1, Troll)

John Hasler (414242) | more than 5 years ago | (#24348907)

While any such communication could, in theory, be bugged, I doubt that anyone with access has any interest in your scatological conversations with your mistress, and I doubt that anyone who is interested has access (unless your name is Sarkozy). Security is a matter of putting up a barrier that would cost more to surmount than the protected information is worth. For at least 99.999% of conversations Skype's encryption is good enough.

That's not the point (2, Interesting)

Anonymous Coward | more than 5 years ago | (#24349081)

I think what people are worrying about is not the risk of being individually targeted for lawful interception, but the risk of blanket mass interception of all calls worldwide, using automated keyword matching implemented extremely efficiently on extraordinarily vast numbers (100s millions, money no object, power 20MW+) of dedicated chips, not general purpose CPUs, that fill no more than 4.5 acres of warehousing underground consuming c.5MW surprisingly.

SIP? (1)

weeeeed (675324) | more than 5 years ago | (#24348597)

It's funny that most posts here suggest using SIP instead of Skype... which is *unencrypted*. Of course you can use addons like Zfone but hardware clients can't be used with that and SRTP/TLS/etc, again, is not supported by most providers and sip clients.

Source secret problem (4, Insightful)

dyfet (154716) | more than 5 years ago | (#24348607)

This is going to be a problem with any so called "secure" communication system that relies on source secret clients and unpublished protocols.

There are many ways to build such clients to "assist" external intercept, since they often have to first communicate with some central server to locate users. They could for example have a command that forces the client to always route back through the server (like they do for NAT), and use a simple data transformation rather than full encryption so casual packing snooping makes it "appear" encrypted when it is actually not.

They might also have flaws in their implimentation, particularly with key exchange, that allows an invisible man in the middle. The ZRTP stuff developed by Phil Zimmerman that we use in GNU Telephony secure calling uses extra steps to compute a sas to validate there are not fake public session keys given out by a man in the middle, for one example of how such flaws can effect otherwise "secure in appearence" systems.

Of course, even secure peer-reviewed protocols and foss clients do not gaurantee security. For example, one can tether a bunch of ZRTP softphones to an Asterisk server using PBX enrollment, but this enables and requires said server to decrypt all traffic as it passes through, as it acts as a "trusted" man-in-the-middle.

In the end, the best solution, even with ZRTP, remains using pure peer-to-peer (end-to-end) media connections, and when needed transparent proxy media exchange; the latter for dealing with NAT. In ZRTP, sas negotiation assures any such proxy used for NAT "remains" transparent.

In the case of Skype, source secret clients that can report false call information and source secret protocols are a clear recipe for disaster.

whatever (1)

ciej (868027) | more than 5 years ago | (#24348651)

anybody using skype to plan their heist deserves to get caught.

Re:whatever (1)

thrillseeker (518224) | more than 5 years ago | (#24348771)

and anyone using skype to plan their sleepover party deserves their privacy

Re:whatever (1)

ciej (868027) | more than 5 years ago | (#24349151)

Yes, and anyone making a phone call to plan their sleepover deserves the same privacy. It shouldn't matter what they are using, they have a right to privacy but the gov't is going to find a way to listen in. My point was that technology isn't secure and anyone who believes it is, is only fooling themselves.

CALEA (0)

Anonymous Coward | more than 5 years ago | (#24348751)

Maybe they do and if so, it's probably a good thing since they could fall under CALEA regulations http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act

Not surprising (1)

FritzTheCat1030 (758024) | more than 5 years ago | (#24348921)

Ebay owns Skype. Ebay has an absolutely HORRIBLE track record with regards to protecting the privacy of their users. Ebay's policy has long been to comply in full with the request of ANY police agency without question. No warrants or explanation needed. So, it's not surprising that they would go out of their way to help spy on Skype users.

SIP Skype (2, Informative)

ivoras (455934) | more than 5 years ago | (#24349015)

Asterisk+SIP+Ekiga is not a good replacement for Skype:

  • It's much harder to setup (you can't beat Skype's "start the exe, type in username and password and you're there" experience).
  • It's not encrypted - so all those people saying "Worried about big bad wolf listening to your Skype calls? Switch to SIP because it's open!" are actually making things worse.

Add to this that Skype has existed for a large number of years (5 years is "long" in "internet time") and it's not exactly known as a big medium for spreading viruses, hack attacks, etc. and you'll realize that security through obscurity actually can work. Of course, past trends are not indication of future behaviour, but you can't argue with results.

Skypes Own Comment (4, Funny)

Anonymous Coward | more than 5 years ago | (#24349031)

If you go to the options of the Skype client under the 'Chat Appearance' settings, do have a look at the sample chat displayed. I quote:

-Does Big Brother exist?
-of course he exists. The Party exists. Big Brother is the embodiment of the party
-Does he exist in the same way as I exist?
-You do not exist
-I think I exist. I am conscious of my own identity. I was born and I shall die. I have arms and legs. I occupy a particular point in space. No other solid object can occupy the same point simultaneously. In that sense, does Big Brother exist?
-It is of no importance. He exists.

To me this is quite conclusive.

Is it encrypted? (1)

v(*_*)vvvv (233078) | more than 5 years ago | (#24349147)

Any non-encrypted data communications over the internet can be tapped and understood, no? Maybe Skype has the decryption key, or maybe Skype just has the "tools" for listening in on a skype stream, but I don't see how this is a surprise.

Maybe the authorities just assumed skype was tappable because they know internet connections are tappable.

What keeps me with Skype (4, Insightful)

bhima (46039) | more than 5 years ago | (#24349305)

What keeps me with Skype is that I can have US telephone number. So no matter where I am my friends and family can call me.
    If there was another service which allowed me to have a US telephone number for incoming calls and let me call any other POTS number I'd use it.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...