Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

German Govt. Skype Interception Trojans Revealed

Posted by CmdrTaco on Sat Jan 26, 2008 10:27 AM
from the trojan-man dept.
James Hardine writes "Wikileaks has released documents from the German police revealing Skype interception technology. The leaks are currently creating a storm in the German press. The first document is a communication by the Ministry of Justice to the prosecutors office, about the cost splitting for Skype interception. The second document presents the offer made by Digitask, the German company secretly developing Skype interception, and holds information on pricing and license model, high-level technology descriptions and other detail. The document is of global importance because Skype is used by tens or hundreds of millions of people daily to communicate voice calls and Skype (owned by Ebay, Inc) promotes these calls as being encrypted and secure. The technology includes interception boxes, key forwarding trojans and anonymous proxies to hide police communications."
+ -
story

Related Stories

Firehose:Wikileaks reveals Skype interception trojans by James Hardine (1150665)
[+] European Crackdown On Skype "Loophole" 230 comments
angry tapir writes "Suspicious phone conversations on Skype could be targeted for tapping as part of a pan-European crackdown on what law authorities believe is a massive technical loophole in current wiretapping laws, allowing criminals to communicate without fear of being overheard by the police. Eurojust, a European Union agency responsible for coordinating judicial investigations across different jurisdictions, has announced the opening of an investigation involving all 27 countries of the European Union."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

German Govt. Skype Interception Trojans Revealed 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Why should we be surprised? (Score:5, Insightful)

    by trelayne (930715) on Saturday January 26 2008, @10:41AM (#22193102)
    If Germany can do it, do we really think it hasn't already been done in the states? Skype, is very popular and would be a logical means for governments to monitor conversations---especially when said program touts itself as being encrypted and secure. So the German revelations are likely a national security goof.

    • If Germany can do it, do we really think it hasn't already been done in the states?
      Skype, is very popular and would be a logical means for governments to monitor
      conversations---especially when said program touts itself as being encrypted and
      secure. So the German revelations are likely a national security goof.
      More than that, while the Germans have to install this aftermarket snooping program, it wouldn't surprise me if Ebay provided a convenient backdoor in the code so that the U.S. government can do the same thing without going to all the trouble and expense (both of third-party software, and warrants).

      How exactly Skype implements encryption has never been made public. Anyone using it for secure communications is a fool. The only person it's good against is some script kiddie on your LAN or in the coffee shop where you're using a hotspot. The only person calling it "secure" is Skype/Ebay, and since they haven't opened the code up for auditing by disinterested third parties (someone like, say, Bruce Schneier), it's really not guaranteed to be anything more than snake oil.

      For all you know, every time you make a call, Skype could be forwarding the key to a central server and then sending them in bulk to the FBI. That's the price of using a closed-source security product where the vendor has an obvious interest in selling you out to the authorities.

  • Man-in-the-middle against SSL? (Score:5, Interesting)

    by gnasher719 (869701) on Saturday January 26 2008, @10:50AM (#22193168)
    Does anyone know how a man-in-the-middle attack against SSL, as mentioned in the article, is supposed to work?

    The only possibility that I can see is to modify the browser itself, so that when the user tries to get a secure connection to www. criminals.com, the browser contacts www. police.de instead, gets a valid certificate from the police, while the police's computer then makes a secure connection to www. criminals.com.

    • Re: (Score:3, Informative)

      by Raven42rac (448205) *
      mac spoofing, arp poisoning, dns spoofing, and a fake certificate

      • Re:Man-in-the-middle against SSL? (Score:4, Interesting)

        by gnasher719 (869701) on Saturday January 26 2008, @11:13AM (#22193310)

        mac spoofing, arp poisoning, dns spoofing, and a fake certificate
        Yes, I forgot that if they are able to install software on your computer, they might also be able to install a root certificate created by the police, and send you a kind-of-genuine certificate for www.terrorists.com, signed by www.police.de. Or they _might_ be able to convince a certificate authority to give them an actual, valid certificate for www.terrorists.com, which would be a bit worrying.

        With a minute of thinking: The first method would be much better, because they don't need to know ahead who I am going to contact.

        With another minute of thinking: My computer has for example four Verisign root certificates installed. Does that mean that Verisign (I only take them as an example) could technically install a box with a computer into the phone line 50 meters away from my house, and do a man-in-the-middle attack by creating genuine Verisign certificates for any SSL connection that I make, without breaking into my home or doing anything to my computer at all? And the only trace that I would have would be the curious fact that everyone I contact uses certificates signed by Verisign?

        With a further minute of thinking: My computer has about 100 root certificates installed that came with Leopard, and similar things happen for Windows users. I have no idea where these certificates come from; I just have to trust Microsoft and Apple. If the police could convince Microsoft and Apple to put a root certificate owned by the police into their installers, then the police could read anyone's SSL connections without breaking into their homes (but breaking into their connection a bit further down the line)?

        • Re:Man-in-the-middle against SSL? (Score:4, Insightful)

          by Rich0 (548339) on Saturday January 26 2008, @04:32PM (#22195478) Homepage
          You are completely correct. When you tell your browser to trust a root certificate - that means exactly what it sounds like it means. Whoever has the signing keys to that root cert can make your browser think that any site is legit for any domain name.

          Many companies install their own root certs so that they can sign their own intranet ssl certs (rather than pay for a ton of them for every little web-based app they install). That gives those same companies the ability to man-in-the-middle any web connection from one of their browers.

          Nothing new here - if somebody can get you to install stuff on your computer they can generally do whatever they want with it if they are unscrupulous.

    • Re: (Score:3, Interesting)

      by maxwell demon (590494)
      To redirect the user from www.criminals.com to www.police.de, they only have to intercept DNS calls (unless the criminals have edited their /etc/hosts or Windows equivalent, but if they get a trojan in, that shouldn't be too hard to change as well). The only thing which might be problematic is to get a valid certificate. But then, they probably can get that by just connecting themselves (which they'll do anyway if they do a man-in-the-middle). AFAIK the certificate only contains the domain name, not the ser

  • Skype is not securely encrypted. (Score:5, Informative)

    by WK2 (1072560) on Saturday January 26 2008, @10:53AM (#22193186) Homepage
    Skype is not securely encrypted. The only client is closed source, and the protocol is not open, nor peer-reviewed. The developers themselves have said that security analysts would probably quickly find holes if they opened the source.

    It is less likely that thieves and spies, etc, will be able to eavesdrop on your Skype conversations than with a plain old phone. But don't treat it as secure communications.

    http://en.wikipedia.org/wiki/Skype [wikipedia.org]

    • Re: (Score:3, Interesting)

      by PGillingwater (72739)
      I would have to take issue with your statement.

      According to this: http://www.ossir.org/windows/supports/2005/2005-11-07/EADS-CCR_Fabrice_Skype.pdf [ossir.org]

      Skype seems to use AES for the VOIP payload, and RC4 for signaling packets.

      Naturally, although AES is an excellent algorithm, it will fail if the implementation is weak, especially in the key handling.

      I agree that the code is largely obfuscated, and without open source, it would be a nightmare to expect to rely on its security.

      However, there was an "independent"

  • The classic /. question..... (Score:3, Interesting)

    by budword (680846) on Saturday January 26 2008, @11:10AM (#22193296)
    Yeah, but does it run on Linux ? Anyone know if said software will end up on your linux box ?

  • I for one (Score:5, Insightful)

    by MrCopilot (871878) on Saturday January 26 2008, @11:17AM (#22193338) Homepage Journal
    am glad i live in a country where these abuses of privacy are outlawed by the constitution and the government would never even think to monitor our voice and data transmissions.

    That is why I am proud to be an American. They what, Oh damn.

    • Re: (Score:3, Insightful)

      by TransEurope (889206)
      An to do the same without public announcement is better? Or what "old attitudes" have CIA and NSA? Are they Nazis too? Or worse?

    • Re:Germany (Score:5, Insightful)

      by trewornan (608722) on Saturday January 26 2008, @10:52AM (#22193182)

      Germany still seems to have a lot of it's old attitudes lying around.

      Yeah, because other governments would never do something like this - talk about naive. Did anybody here not realise that skype calls were going to be intercepted?

    • Re:Germany (Score:5, Insightful)

      by Aardpig (622459) on Saturday January 26 2008, @11:15AM (#22193322)
      As someone else has pointed out, it is legal in Germany for police to monitor phone calls, when they get appropriate authorization from a judge. Contrast this with the United States, where the administration is trying to award retroactive immunity to itself and telcos for years of illegal phone surveillance.

      • Re:Germany (Score:5, Insightful)

        by Yahma (1004476) on Saturday January 26 2008, @01:50PM (#22194436) Journal

        My thoughts exactly. While our administration has allowed for unwarranted illegal wiretapping with full cooperation from most of the major telco's, the American public is mostly either unaware of the issue, or seemingly apathetic. The German public, on the otherhand, is almost in an uproar over the revelations that the German gov't can/may listen in on Skype calls LEGALLY.

        The difference in public reaction is likely due to the histories of our respective nations. The Germans populace went through a period where a lunatic dictator brought on the downfall of the nation. Today in Germany, school children from age 5 upwards learn about this terrible time in the Nation's history and because of the openness and recognizance of today's germany with respect to its recent history, its population are very very wary of allowing Government too much power over its people. In the US, on the otherhand, the government have been passing laws stripping our privacy using 9/11 as justification. The recent realization that there will be little to no backlash from the American populace as a whole has only encouraged our government to continue with such laws as the "Patriot Act" that slowly strip away our rights and give the Executive Branch ever more power.

    • Re:Germany (Score:5, Insightful)

      by hkl387 (565152) on Saturday January 26 2008, @02:29PM (#22194704)
      This is not about Germany's past, this is a global issue of today.

      According to a 2007 International Privacy Ranking [privacyinternational.org], there is "weakened protection" in Germany, while the UK and the US are ranked as "endemic surveillance societies".

      Yes, we are very concerned about German authorities pushing to weaken our rights, but we also need to understand that Citizen's rights are under attack all around the world these days. Stereotypes are not helpful, we've got to stand up for our rights together.

      • Re:Germany (Score:5, Insightful)

        by CastrTroy (595695) on Saturday January 26 2008, @10:49AM (#22193164) Homepage
        The police are allowed to tap regular phone lines because they don't have to intrude on your property to do it. Just like they can stake out your house from a van on the road. They aren't allowed to walk into your house and watch you all day. Once they start installing trojans on computers for listening to skype calls, it's not a far stretch from them installing trojans to record every action you do on your computer.

        • Re:Germany (Score:4, Insightful)

          by STrinity (723872) on Saturday January 26 2008, @11:40AM (#22193478) Homepage

          The police are allowed to tap regular phone lines because they don't have to intrude on your property to do it.
          No, they're allowed to tap phone lines because they get court orders saying they can. Do you think courts have never issued warrants allowing police to place bugs on a suspect's property?

        • Re:Germany (Score:5, Insightful)

          by Nullav (1053766) <moc&liamg,valluN> on Saturday January 26 2008, @12:08PM (#22193694)
          So? It's a trojan, meaning that one has to willingly open it; more bluntly, it means that the police will need to trick people into opening them. Also, with this information out in the open now, anyone with a lick of sense will be even more wary of such rogue email attachments.

          tl;dr - No one has to convince you to pick up a tapped phone.

      • Your privacy, Your liberty, Your freedom (Score:5, Insightful)

        by iendedi (687301) on Saturday January 26 2008, @05:34PM (#22195888) Journal

        1. It is legal (if you get permission from a judge etc.) to listen in to phone conversations. 2. With Skype using 256 bit encryption, the police cannot do in practice what it is allowed to do legally. 3. Some company makes software/hardware that enables the police to do what they are allowed to do legally.

        It seems to be necessary to install some software on the user's computer to achieve this. As long as this software doesn't do anything but opening up Skype communications, it doesn't do anything that would affect the user's rights. All their Skype communications can only be heard by people who are legally allowed to hear it - even though one of them is the police, which is not the _intended_ recipient.

        In the US, today, the government can legally decide that you might be a terrorist (you know, like you support Ron Paul, for instance, who is very terrifying to them). Once so implicated, they can legally break down the door to your house, pull you from your bed, take you to a detention center, refuse to give you a phone call, hold you for as long as they like, torture you and so forth. If they decide to release you, they are not legally obligated to in any way compensate you for your life that they just demolished.

        I point this out to illustrate, essentially, that legality does not necessarily have anything whatsoever to do with acceptability. It is our responsibility to stop this madness. I do not believe that governments have the right to invade our lives in these ways. I do not believe the government has the right to install a virus on my computer for the purpose of taking my skype keys. We all know that the various governments around the world are infiltrated by all manner of nasty organizations. If the government has a virus in my computer, then is it safe for me to transfer funds using online banking on my computer? How do I know that there aren't members of some criminal syndicate that are working for the government that have access to that virus?

        No. If someone breaks my door down, I don't care if it is a policeman, a soldier, a thief or a vampire, I have the right and obligation to defend my family and my space with deadly force. If someone breaks into my computer, I have the right and obligation to eliminate that threat and to help others do the same. We all need to take these transgressions on our personal space, lives and property much more seriously. When will we fight back? When they want to put an implant in our brains to read and control our thoughts?

        When is it enough, people??

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.