Slashdot Log In
European Crackdown On Skype "Loophole"
Posted by
timothy
on Mon Feb 23, 2009 07:36 AM
from the only-the-suspicious-ones-of-course dept.
from the only-the-suspicious-ones-of-course dept.
angry tapir writes "Suspicious phone conversations on Skype could be targeted for tapping as part of a pan-European crackdown on what law authorities believe is a massive technical loophole in current wiretapping laws, allowing criminals to communicate without fear of being overheard by the police. Eurojust, a European Union agency responsible for coordinating judicial investigations across different jurisdictions, has announced the opening of an investigation involving all 27 countries of the European Union."
Related Stories
[+]
German Govt. Skype Interception Trojans Revealed 172 comments
James Hardine writes "Wikileaks has released documents from the German police revealing Skype interception technology. The leaks are currently creating a storm in the German press. The first document is a communication by the Ministry of Justice to the prosecutors office, about the cost splitting for Skype interception. The second document presents the offer made by Digitask, the German company secretly developing Skype interception, and holds information on pricing and license model, high-level technology descriptions and other detail. The document is of global importance because Skype is used by tens or hundreds of millions of people daily to communicate voice calls and Skype (owned by Ebay, Inc) promotes these calls as being encrypted and secure. The technology includes interception boxes, key forwarding trojans and anonymous proxies to hide police communications."
[+]
Technology: More Skype Back Door Speculation 210 comments
An anonymous reader writes "According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations."
[+]
Bavarian Police Seeking Skype Trojan Informant 252 comments
Andreaskem writes "Bavarian police searched the home of the spokesman for the German Pirate Party (Piratenpartei Deutschland) looking for an informant who leaked information about a government Trojan used to eavesdrop on Skype conversations. (The link is a Google translation of the German original.) There is a high probability that the Trojan is used illegally. A criminal law specialist said, 'The Bavarian authorities worked on the Trojan without a legitimate basis and now try to silence critics.' The informant need not worry since 'every information that could be used to identify him' is protected against unauthorized access by strong encryption. The Trojan is supposedly capable of eavesdropping on Skype conversations and obtaining technical details of the Skype client being used. It is deployed by e-mail or in place by the police. A Pirate Party spokesman said, 'Some of our officials seem to want to install the Big Brother state without the knowledge of the public.'"
[+]
IT: Skype Messages Monitored In China 223 comments
Pickens writes "Human-rights activists have discovered a huge surveillance system in China that monitors and archives Internet text conversations sent by customers of Tom-Skype, a joint venture between a Chinese wireless operator and eBay. Researchers say the system monitors a list of politically charged words that includes words related to the religious group Falun Gong, Taiwan independence, the Chinese Communist Party and also words like democracy, earthquake and milk powder. The encrypted list of words inside the Tom-Skype software blocks the transmission of these words and records personal information about the customers who send the messages. Researchers say their discovery contradicts a public statement made by Skype executives in 2006 that 'full end-to-end security is preserved and there is no compromise of people's privacy.' The Chinese government is not alone in its Internet surveillance efforts. In 2005, The New York Times reported that the National Security Agency was monitoring large volumes of telephone and Internet communications flowing into and out of the United States as part of an eavesdropping program that President Bush approved after the Sept. 11 attacks. 'This is the worst nightmares of the conspiracy theorists around surveillance coming true,' says Ronald J. Deibert, an associate professor of political science at the University of Toronto. 'It's "X-Files" without the aliens.'"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
"Allowing Criminals" (Score:5, Insightful)
Re:"Allowing Criminals" (Score:5, Insightful)
And what sensible criminal would use Skype anyway? If you care about potential eavesdroppers, you don't use proprietary encryption, and especially not proprietary encryption over a proprietary protocol that has been shown to be insecure (see the Black Hat paper).
If you want security, run SIP over SRTP, with clients that have undergone third-party security audits.
Parent
Re:"Allowing Criminals" (Score:5, Interesting)
If criminals knew that much about IT, they would have an IT career, not a criminal one.
Most criminals are at best casual users of computers. While they might hire a whiz kid to encrypt their calls, that is quite rare: hiring someone from outside the criminal environment to encrypt communications opens a much larger security hole than Skype ever could.
You are assuming that the knowledge level common here on Slashdot is common in the real world. It isn't. I remember that Bernardo Provenzano, head of the Sicilian Mafia, used a Caesar cipher using a bible as key to send its orders around, and someone here on Slashdot commenting "what, he does not know of PGP?!?".
Parent
Re: (Score:3, Interesting)
If criminals knew that much about IT, they would have an IT career, not a criminal one.
Unlikely - that argument might work for petty thieves, but not major criminals, especially terrorists whose motivation is often not money in the first place.
Re:"Allowing Criminals" (Score:4, Insightful)
You're kidding right? IF terrorists can learn to fly a jumbo jet, which, mind you, is a very complex beast that requires a lot of training, simulator, and real-world flying time to be able to fly one, or if they can become munitions experts, what's to stop terrorists from becoming IT experts?
Nothing. Nothing at all. Terrorists can take the same classes you took, take the same training you took, and learn as much about IT as you did.
Anyone determined enough to kill a bunch of people in order to achieve notoriety for their cause can learn just about anything if they think it will help them achieve their gol.
Parent
Re: (Score:3, Funny)
You're kidding right? IF terrorists can learn to fly a jumbo jet, which, mind you, is a very complex beast that requires a lot of training, simulator, and real-world flying time to be able to fly one,
Surely, "the flying" of a modern jet is not the difficult part - it's "the landing".
Re: (Score:3, Interesting)
Speaking as a pilot, I have to say it's landing that's more difficult. There are autopilot systems that can take off, fly, and land, but landing's the challenging one.
But in any case, the reason you have a pilot is for when things go wrong. When things are going right, a monkey could take off, fly, and land a plane. When things go wrong, it takes knowledge to know what has gone wrong, and how to survive it. That's where the difficulty comes in.
I can't find the graph online but there's a neat graph that'
Re: (Score:3, Funny)
Re: (Score:3, Interesting)
Actually, I think some really new planes have autoland. And autopilot is pretty simple in many planes. It just keeps altitude and heading from drifting. Many of the big jets do have real auto-nav, but from what I remember reading, it's not as simple to set up as telling your GPS where to go.
Of course, if all you need is city level accuracy, a handheld GPS unit in the cockpit is more than enough. Hell, the GPS in my phone would work.
Flying isn't all that hard, particularly if the trained pilot already got th
Re: (Score:3, Interesting)
Mafia is organized crime. The whole point of organization is division of labour. The very fact that you distinguish between the Mafia soldier and Mafia boss is evidence enough of that. Consequently, it doesn't matter whether Don Stoneage knows a computer or not, since he has IT staff to d
Re: (Score:3, Interesting)
He used a Caesar cipher and bible quotations. [google.co.uk]
Re:"Allowing Criminals" (Score:4, Funny)
Great link.
Provenzano abandoned this code after Giuffre's arrest, and this is when investigators believe he turned to a Biblical code. Since his imprisonment, he has been given a clean copy of the Bible, which he reads every day, annotating and underscoring.
Priceless! If I were stuck in jail, I too would try to find a way to drive my jailors crazy.
Parent
Re: (Score:3, Insightful)
You mean the paper [blackhat.com] that explicitly concluded that "Skype was made by clever people" and "Good use of cryptography"?
Yes, it has weaknesses, but unless you get your victim to run a trojanized Skype (at which point they'd be screwed either way), it still seems reasonably secure. Oh, and of course you trust Skype Inc anyway, if you're running their binary.
That said, Skype is inherently scary, and I'd naturally advocate an open source, peer-reviewed system. I just get the feeling that many people misinterpreted
Re: (Score:3, Insightful)
Re: (Score:2)
Thats not entirely true. They do care if hostile country listens in on calls, but they only care if they are going to loose out from it.
There was a documentary on sky science a few days ago about hacking. What stood out for me was a comment by some government ex-director of security saying that at le
Re: (Score:2)
Re:"Allowing Criminals" (Score:5, Interesting)
The European governments who want to eavesdrop on suspected criminals after obtaining a court order, or the US and UK governments who are presently listening to everybody in Europe, and have been for quite some time, through ECHELON?
Parent
Re:"Allowing Criminals" (Score:5, Insightful)
All of them. If I have multiple older male siblings, I can address them all as "Big brother." The existence of one does not preclude the existence of others.
Parent
Re: (Score:2)
Or allowing law abiding citizens to speak with their relatives in hostile countries without worry of big brother listening.
Well, they are hostile countries, you know.
Re: (Score:3, Insightful)
It's worse than that, they're hostile countries looking to harm our children
Well, they are. When the head of Iran says that he's going to get the bomb and the USA is as the Great Satan, do you suppose he's just joking around?
Too many loopholes (Score:5, Insightful)
Suppose they have a way to intercept Skype calls and decrypt everything. How will they know a conversation like "Aunt Emma's cat had seven kittens, three black and four white" actually means "I'm sending seven kilos of heroin, Giuseppe will take three and Giovanni four"?
Re: (Score:3, Insightful)
That's an issue which applies to any form of intercepted communication not just skype
Re:Too many loopholes (Score:5, Interesting)
Precisely. Intercepting communications is pointless if the target has reason to suspect they are being watched. That's why the US and Britain went to great efforts to disguise the fact that they had broken the German and Japanese encryption systems during WWII.
For instance, when American fighters shot down admiral Yamamoto's plane the US didn't report the fact. They wanted the Japanese to believe that was just a chance encounter, not an action planned from a flight schedule they had known from decrypted Japanese communications.
Parent
Re: (Score:3, Funny)
Re: (Score:2)
Re:Too many loopholes (Score:5, Funny)
Suppose they have a way to intercept Skype calls and decrypt everything. How will they know a conversation like "Aunt Emma's cat had seven kittens, three black and four white" actually means "I'm sending seven kilos of heroin, Giuseppe will take three and Giovanni four"?
because you've just told us - and you are now on the "listen" list
Parent
Re: (Score:2)
How will they know a conversation like... actually means
And they will NEVER know that an email sent from 4321cba@gmail.com to 91023ofg@hotmail.com containing an attachment which was just a JPEG photograph of people on a ski slope, with three people on the left of the picture and four people on the right - means EXACTLY the same thing.
This is still the same "make believe security" bullshit that governments are so good at to cause the paranoid masses to support them, while wasting money and not actually doing
Re:Too many loopholes (Score:5, Insightful)
Arbitary codes like this and One time pads have been proven (when done correctly) to be absolutely secure, whereas all encryption in theory is insecure (the only exception is quantum encryption)
Skype is a well known protocol, with a know encryption system, and is not secure ....
Parent
Re:Too many loopholes (Score:5, Insightful)
So suppose the police intercept the conversation example you used. What does it tell them? Well - first they are going to find out that neither of the people involved actually has an aunt emma, or indeed any aunt who owns cats. Alternatively they might be aware that the people involved don't exchange a lot of private information, hence are not close enough to care about the cat of some relative. So they know it's a code and from that they know that something is going to happen. The recipient is a suspected drug dealer, the sender a suspected supplier, so they guess that it's about a drug deal. Possible action: keep a close watch on the recipient of the message - he may receive the drugs soon, or he may establish contact with the persons receiving the drugs.
Even if they can't guess the first thing about the content of the message - intercepting it can still yield information. E.g. it could tell them that the recipient is online now - using the IP address they could identify his location - or they could obtain a voice sample which could be used for identification. They could use the time someone calls to identify their daily routine - if suddenly a call is made at an unusual time (e.g. 2 am for someone who usually sleeps early) then they can guess that something interesting is going on.
Taken to the extreme opposite - if intercepting communications between criminals would never yield results, then wire tapping in all forms would have to be stopped. We could determine whether that's the case by analyzing criminal cases - is wire tapping evidence never introduced, is wire-tapping information never used to guide investigations? If that's not the case, then we shouldn't expect a zero return for skype-interception either.
Parent
Communication privacy in freedom (Score:4, Informative)
One does not need to rely on proprietary or otherwise closed source solutions and protocols which may have or can in the future carry backdoors to achieve communication privacy. For the past three years, one could simply apt-get install twinkle with ZRTP support from any Debian repository, which has an open and proven model for peer-to-peer media security and a reference implementation of the ZRTP stack that is part of the GNU Project. More recently, there is SIP Communicator, purely Java based and truly multi-platform, which uses the newer ZRTP4J stack. Existing non-B2BUA based SIP servers like opensips or GNU sipwitch can be used to organize and coordinate scalable secure calling networks. All the tools are there to do verifiable communication privacy in freedom today.
Re: (Score:2)
which uses the newer ZRTP4J stack. Existing non-B2BUA based SIP servers
I'm usually quite nerdy, but your post even gives me acronym overload. At any rate, I guess some of the point you miss would be hiding in a bigger network? Perfect security is fine, but not if you can just assume that everyone participating is involved in some nasty business.
Re: (Score:3, Funny)
*Too Much Acronyms.
I'm glad we standardized on Skype (Score:2)
If the defacto standard was opensource, with provably well implemented encryption, then I wouldn't be safe from the criminal hordes.
Re: (Score:2)
Re:I'm glad we standardized on Skype (Score:5, Insightful)
If the defacto standard was opensource, with provably well implemented encryption, then I wouldn't be safe from the criminal hordes.
It could have been. If an opensource project created a product which worked as well as skype I'm sure it could easily have been as popular.
The problem with a plain SIP client is you suddenly find you need a SIP account with a provider - there aren't many truly international SIP providers and they don't all have agreements to allow SIP calls to be carried for free, which adds a lot of complication. And every layer of complication you add to a product will put a lot of people off.
Parent
Only Skype? (Score:4, Insightful)
Somebody better tell them about all the other evil loopholes that criminals can use to talk over the internet. They'd better also be able to wiretap Yahoo and Windows Messenger voice, oh, and X-Box chat, and we're going to have to change the RTP protocol to send them a copy of all communications, of course. I'm guessing we'll have to hack all ssh clients to unencrypt VoIP traffic if somebody tries to tunnel it, too.
Or, you know, just get on Skype's case because authorities apparently have no idea what they're doing and seem to believe that Skype is the only way to talk over the internet. I'm sure the criminals appreciate the heads up so they can make sure to use more secure methods.
Ah Europeans (Score:2)
All this crap we heard about Bush, and as we speak the UK is threatening to sink because of the weight of all its cameras, and now the EU wants to spy on everyone.
Re: (Score:3, Informative)
The EU wants the existing wiretap legislation, the one that requires showing cause in court and getting a warrant, to be expanded to also include forms of IP-telephony. The Bush administration wiretapped everyone they felt like, without even bothering to show any cause or get a warrant from that rubber-stamp of a court that is FISA.
Seems pre
I don't WORRY about so-called criminals (Score:5, Insightful)
I do worry about my (and everyone's) government.
the governments are ruining our lives, NOT the terrorists OR the criminals!
what an upside down world we live in. I truly don't fear criminals. I truly do fear my own government.
what is a criminal going to do with info he taps from my line? otoh, we can clearly imagine the kind of damage that happens when the governments listen in.
I wonder if we can ever fix this broken world of ours, where we have more to fear from the so-called good guys than the bad guys.
Re: (Score:3, Insightful)
Yup.
Since when do people who use undocumented features became criminals?
And what right do the governments have in labeling such people criminals?
Have they been proven guilty in a court of law?
If not, then it means if the government indulges in unauthorised snooping it is OK by law?
Why can't be governments be held under the same law that they pass for citizens?
For instance in US, it is a criminal offense to eavesdrop on a telephone line without a court order.
If i do it, i have committed a criminal offense.
Bu
Re:I don't WORRY about so-called criminals (Score:4, Funny)
Everybody pissed and moaned about how bad Bush was.. Just you wait till we've had Comrade Obama and his ilk in Congress for a couple of years.. You aint seen NOTHING yet!! Before one of the many SlashLibs shouts me down as being a Republican, I'll admit that I *was*, for 98% of my life (I'm 58), but in the last couple of years, I've gotten absolutely fed up with the Republican party and am now an Independent.. Which means I'm disenfranchised.. Nobody to vote for.. In any event, I strongly suspect by the time I'm 65 in 2015, this country will finished, only the cleanup of what it once was left to complete.. Of course, perhaps John Titor actually WAS from the future, and the civil war he reports that happened in 2012 really happened, after all he did say we'd start seeing signs of it in 2008-2009... I *used* to have to put on a tight-fitting tinfoil hat when I read the accounts of John, but not so much anymore...
Parent
Re:If governments are bad ..... (Score:5, Interesting)
my alternative is a complete ban on ALL wire-tapping.
making all electronic communication the equivalent of whispering in a person's ear.
why would one be considered a fundamental human right and yet the other be so easily discarded?
criminals have the right to air, water, food, shelter, clothing. I'd also add 'right to communicate freely' in that list.
once we start whittling down what rights 'certain' people have, you are on the road to societal doom.
I don't believe 'the end justifies the means' and that's ENTIRELY what this wiretapping is all about. we'll VIOLATE your right to communicate in privacy - because there's some 'bad guy in a turban' that we want to stop.
this is insane! the founding fathers would not have given up our freedom to 'ensure' temporary safety and we shouldn't sell our freedoms out, either!
no, I don't agree that police and the gov have any INHERENT right to tap our comms. nothing at all gives them THAT kind of right-stomping ability, no matter WHAT the cause is.
in all situations, humans should have the DIGNITY to communicate and not have to worry about how is stealing their thoughts, ideas or even worse - who is going to MIS-INTERPRET your writings or speech. I'm waiting for the case where someone's fictional writing is intercepted and someone gets into 'big trouble' when the wiretappers refuse to believe that a person's private writing is just that - private. same with phone, net and anything else including email.
Parent
Honeypot, baitcar or try zphone (Score:3, Interesting)
Via hardware or software a gov can intercept with your calls.
Any info seems more about extending national or wider legal powers.
ie. Skype has been open to law enforcement, they just want to use it in court.
http://wikileaks.org/wiki/Skype_and_the_Bavarian_trojan_in_the_middle [wikileaks.org]
Smart criminals will not be affected (Score:3, Insightful)
A smart criminal will know that not only are they interested in what you say, but more often who you say it to. "Aunt Bertha is ill" could mean that I am worried about my aunt, or that the shipment of drugs and guns will be arriving 09:00 in wherever.
A semi-smart criminal will be using e.g. /. to post messages and think there is no relation between the people. However the Man can gather the information to who connects and then with some time and exclusion determine who I would be speaking to.
So what you need is a way of communicating with each other where there is no direct link between sender and receiver. You could wait for Google to enter the message in their seach and use their cache to read it. Bit safer, but still not 100%.
An even smarter criminal would be using something where messages are exchanged between points where you have no control. During WWII (Not the game console) radio was used. Sending from the UK, receiving on the continent and no idea who the message was intended for.
Such a thing exists today and is called Usenet. You can use e.g. alt.test for plain messages. You can also pgp the message and then post it inside a porn image or music file to an appropriate group.
Darn I just provided a link between illegal music and terrorism. Sorry.
Now the real smart criminals won't be effected by this. They do everything by the law and when things do not go well, they get rewarded anyway.
I suppose law enforcement has to do something... (Score:3, Insightful)
Generic Laws (Score:3, Insightful)
I've often wondered why we can't have generic laws. Laws that cover a type of action rather than a very particular case of a type of action. For example we have enacted wire tapping laws so that we can listen to phone conversations why didn't we enact an eavesdropping law instead so that the required authorities could apply for permission to listen into the communications of an individual regardless of how those communications where taking place. As far as I can see this doesn't erode privacy any more than it has already been eroded and it means that we don't need all the half brained politicians making up reams and reams of new legislation (which invariably is an excuse for mission creep).
So what *is* the state of Skype security? (Score:3, Insightful)
Obviously it can be broken by planting malware in the target's computer, but what are the other ways? Last we heard, independent reviews of the crypto protocols said they were pretty good.
But I am quite sure there are exploitable weaknesses in the login server and protocol. Skype operates that server, so we can assume that it either is or soon will be compromised.
Consider the following simple observations. I can install Skype on another computer, sign in with my existing user name and password, and talk to any of my existing contacts without any of them noticing anything unusual. I transferred nothing from my old installation, so my new installation cannot have any of its existing secrets. It knows only one long term secret: my account password, and I use that only to authenticate myself to the Skype login server.
Furthermore, unlike most IM programs, I can sign in from multiple computers and switch between them during chat sessions. All will get copies of all that is said.
This seems to demonstrate quite clearly that with the cooperation of the operator of the Skype login server, you can impersonate any Skype user and conduct either a man-in-the-middle attack or a conferencing attack.
The weakness here is that you're relying on the login server to authenticate your correspondents instead of doing it yourself on an end-to-end basis. Without authentication, encryption is meaningless.
You could probably add packet-level authentication mechanisms to Skype traffic to protect against this attack, but if you're going that far you might as well use something completely different that you can fully trust.
Re: (Score:2)
Clearly governments need to get rid of their bad laws instead of introducing yet more bad government practices.
How crazy! Who would they appease by doing that?
Re: (Score:2)
"Who Poses the Greatest Threat To Your Privacy?" ... without a doubt, Your Government
Really? You think an organisation that believes they can intercept communications by requiring a single, proprietary, software maker to give them back doors, and don't realise that there are open standards for encrypted communications with independent implementations that anyone can use is a threat to your privacy? Companies like Skype and Facebook that rely on social pressure to persuade people to give up their privacy are a much bigger threat than a group that flails around aimlessly and plays a hopeles
Re: (Score:3, Insightful)