Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Your Rights Online

German Govt. Skype Interception Trojans Revealed 172

James Hardine writes "Wikileaks has released documents from the German police revealing Skype interception technology. The leaks are currently creating a storm in the German press. The first document is a communication by the Ministry of Justice to the prosecutors office, about the cost splitting for Skype interception. The second document presents the offer made by Digitask, the German company secretly developing Skype interception, and holds information on pricing and license model, high-level technology descriptions and other detail. The document is of global importance because Skype is used by tens or hundreds of millions of people daily to communicate voice calls and Skype (owned by Ebay, Inc) promotes these calls as being encrypted and secure. The technology includes interception boxes, key forwarding trojans and anonymous proxies to hide police communications."
This discussion has been archived. No new comments can be posted.

German Govt. Skype Interception Trojans Revealed

Comments Filter:
  • Germany (Score:2, Interesting)

    by CastrTroy ( 595695 )
    Germany still seems to have a lot of it's old attitudes lying around. Installing trojans on the computers of it's citizens for the purpose of listening to skype calls is way beyond what I would expect from a country like Germany. Then again, they still can't have video games with Nazis or blood in them. How long before someone packages up a Linux live CD with Skype preinstalled so that you can ensure you're computer isn't compromised when making phone calls?
    • Re: (Score:2, Interesting)

      by gnasher719 ( 869701 )

      Germany still seems to have a lot of it's old attitudes lying around. Installing trojans on the computers of it's citizens for the purpose of listening to skype calls is way beyond what I would expect from a country like Germany. Then again, they still can't have video games with Nazis or blood in them. How long before someone packages up a Linux live CD with Skype preinstalled so that you can ensure you're computer isn't compromised when making phone calls?

      1. It is legal (if you get permission from a judge etc.) to listen in to phone conversations. 2. With Skype using 256 bit encryption, the police cannot do in practice what it is allowed to do legally. 3. Some company makes software/hardware that enables the police to do what they are allowed to do legally.

      It seems to be necessary to install some software on the user's computer to achieve this. As long as this software doesn't do anything but opening up Skype communications, it doesn't do anything that w

      • Re:Germany (Score:5, Insightful)

        by CastrTroy ( 595695 ) on Saturday January 26, 2008 @09:49AM (#22193164)
        The police are allowed to tap regular phone lines because they don't have to intrude on your property to do it. Just like they can stake out your house from a van on the road. They aren't allowed to walk into your house and watch you all day. Once they start installing trojans on computers for listening to skype calls, it's not a far stretch from them installing trojans to record every action you do on your computer.
        • Re:Germany (Score:4, Insightful)

          by STrinity ( 723872 ) on Saturday January 26, 2008 @10:40AM (#22193478) Homepage

          The police are allowed to tap regular phone lines because they don't have to intrude on your property to do it.
          No, they're allowed to tap phone lines because they get court orders saying they can. Do you think courts have never issued warrants allowing police to place bugs on a suspect's property?
          • The police are allowed to tap regular phone lines because they don't have to intrude on your property to do it.
            No, they're allowed to tap phone lines because they get court orders saying they can. Do you think courts have never issued warrants allowing police to place bugs on a suspect's property?
            Have you been hiding under a rock for the last 5 years? Warrants are so, umm, pre-Bush dynasty.
        • Re:Germany (Score:5, Insightful)

          by Nullav ( 1053766 ) <[Nullav.gmail] [ta] [com]> on Saturday January 26, 2008 @11:08AM (#22193694)
          So? It's a trojan, meaning that one has to willingly open it; more bluntly, it means that the police will need to trick people into opening them. Also, with this information out in the open now, anyone with a lick of sense will be even more wary of such rogue email attachments.

          tl;dr - No one has to convince you to pick up a tapped phone.
          • Re: (Score:3, Interesting)

            by WK2 ( 1072560 )

            So? It's a trojan, meaning that one has to willingly open it; more bluntly, it means that the police will need to trick people into opening them.

            Here in the USA, the police will break into your house to install keyloggers and such. Hardware keyloggers, usually. They will only send something through email if they don't know who you are (such as virus writers) and they do it to find out who, and where you are, not to listen to your phone calls. The problem with sending software trojans is that it usually doesn't work, and might get noticed.

            • by Nullav ( 1053766 )
              Thanks for enlightening me on that. I admit I didn't RTFA and took the word 'trojan' at face value, while 'personal delivery' is also listed in TFA. I'll definitely be looking at a hardware VOIP solution to brag about my plans of world domination after reading this.

              On another note, I'm quite surprised that only Windows 2k/XP are mentioned in the article. Police quietly breaking in and installing spyware would never cross my mind otherwise, but if I'm going to come home to a different OS I might get suspicio
            • (Mike Doonesbury is holding up a lamp, which has an obvious microphone sticking out the top)

              Mike: "Gee, Zonker, I bet this frame up really has you upset."
              Zonker: "Yeah, Mike, you know me -- I get high on LIFE! And AMERICA!"
              Guy wearing headphones: (thinks) "Oops...."

        • The police are allowed to tap regular phone lines because they don't have to intrude on your property to do it. Just like they can stake out your house from a van on the road.
          Um, they are allowed to tap your regular phone lines or intrude on your property as long as they have a warrant. They can do both with one, and neither without one.
          • by Sique ( 173459 )
            But if they intrude your property, they have either you, a person you authorise, or at least someone not involved with the police with them as a witness. At least that's the current law in Germany.
        • by kcelery ( 410487 )
          Please also unplug the webcam that you are not using. While you are hacking with your girl friend, you might not notice someone is giggling in the van which is parked outside of your house.
      • by iendedi ( 687301 ) on Saturday January 26, 2008 @04:34PM (#22195888) Journal

        1. It is legal (if you get permission from a judge etc.) to listen in to phone conversations. 2. With Skype using 256 bit encryption, the police cannot do in practice what it is allowed to do legally. 3. Some company makes software/hardware that enables the police to do what they are allowed to do legally.

        It seems to be necessary to install some software on the user's computer to achieve this. As long as this software doesn't do anything but opening up Skype communications, it doesn't do anything that would affect the user's rights. All their Skype communications can only be heard by people who are legally allowed to hear it - even though one of them is the police, which is not the _intended_ recipient.

        In the US, today, the government can legally decide that you might be a terrorist (you know, like you support Ron Paul, for instance, who is very terrifying to them). Once so implicated, they can legally break down the door to your house, pull you from your bed, take you to a detention center, refuse to give you a phone call, hold you for as long as they like, torture you and so forth. If they decide to release you, they are not legally obligated to in any way compensate you for your life that they just demolished.

        I point this out to illustrate, essentially, that legality does not necessarily have anything whatsoever to do with acceptability. It is our responsibility to stop this madness. I do not believe that governments have the right to invade our lives in these ways. I do not believe the government has the right to install a virus on my computer for the purpose of taking my skype keys. We all know that the various governments around the world are infiltrated by all manner of nasty organizations. If the government has a virus in my computer, then is it safe for me to transfer funds using online banking on my computer? How do I know that there aren't members of some criminal syndicate that are working for the government that have access to that virus?

        No. If someone breaks my door down, I don't care if it is a policeman, a soldier, a thief or a vampire, I have the right and obligation to defend my family and my space with deadly force. If someone breaks into my computer, I have the right and obligation to eliminate that threat and to help others do the same. We all need to take these transgressions on our personal space, lives and property much more seriously. When will we fight back? When they want to put an implant in our brains to read and control our thoughts?

        When is it enough, people??
        • In the US, today, the government can legally decide that you might be a terrorist (you know, like you support Ron Paul, for instance, who is very terrifying to them).
          Heh. He might be a little more terrifying if he had some chance of winning the GOP nomination (to say nothing of the general election). He has some highly motivated followers, but those don't add up to a majority of votes.
          • by iendedi ( 687301 )
            I think what makes him terrifying isn't whether he can win or not, but simply what his message is. He is waking people up.
    • Re: (Score:3, Insightful)

      by TransEurope ( 889206 )
      An to do the same without public announcement is better? Or what "old attitudes" have CIA and NSA? Are they Nazis too? Or worse?
    • Re: (Score:2, Funny)

      by Anonymous Coward

      How long before the gestapo packages up a Linux live CD with Skype preinstalled and distrubutes it as secure?

      Fixed

      • this is moderately funny. it is also insightful. people are forgetting that you don't have to have a computer any more to use skype. what about those who purchase skype enabled phones that connect to your home router? or skype wifi phones? those phones do come with some sort of OS installed and skype software. who is to say that the makers of the phones won't eventually modify the phones they sell to add the 'features' that the police or government want them to have when distributing to say, Germany...
    • Re:Germany (Score:5, Insightful)

      by trewornan ( 608722 ) on Saturday January 26, 2008 @09:52AM (#22193182)

      Germany still seems to have a lot of it's old attitudes lying around.

      Yeah, because other governments would never do something like this - talk about naive. Did anybody here not realise that skype calls were going to be intercepted?

      • Skype pretty much admits allowing wire-taps by refusing to answer whether they do or not, and given the law that makes them do it, and the current administration's love of secret Internet monitoring, you pretty much have to assume your Skype calls are about as public as Slashdot. What's interesting about this article is to find the Germans doing it. They had seemed so progressive lately, I'm quite surprised.
      • Naive people..... (Score:3, Insightful)

        by jmorris42 ( 1458 ) *
        > talk about naive. Did anybody here not realise that skype calls were going to be intercepted?

        That is exactly why all the uproar. Too many stupid people looked at the magic encryption pixie dust eBay was splashing around Skype and thought it was safe. A closed implemntation of crypto by a closed corporation subject to the laws of most countries by virtue of being a multi-national. If the crypto didn't have bugs[1] a court order from any jurisdiction eBay does business in would be all that is needed t
        • by Bungie ( 192858 )

          A closed implemntation of crypto by a closed corporation subject to the laws of most countries by virtue of being a multi-national.

          Most encryption algorithms are open standards and are same regardless of the implementation. Open or closed, the output will be the same. If they use standard AES [wikipedia.org] encryption then the data will be just as secure as it would be in a open implementation.

          A backdoor in their implementation would take effort and is risky, with little gain. What use would they have for the decrypte

    • Re:Germany (Score:5, Insightful)

      by Aardpig ( 622459 ) on Saturday January 26, 2008 @10:15AM (#22193322)
      As someone else has pointed out, it is legal in Germany for police to monitor phone calls, when they get appropriate authorization from a judge. Contrast this with the United States, where the administration is trying to award retroactive immunity to itself and telcos for years of illegal phone surveillance.
      • is trying to award retroactive immunity to itself and telcos for years of illegal phone surveillance.

        The key word being "TRYING" (though they may get it). Keep in mind that it was 4 years only, not YEARS. Basically, it was just this admin, started in 2002 and was finished by 2006. Hopefully the dems will NOT allow this to go unpunished.

      • Re:Germany (Score:5, Insightful)

        by Yahma ( 1004476 ) on Saturday January 26, 2008 @12:50PM (#22194436) Journal

        My thoughts exactly. While our administration has allowed for unwarranted illegal wiretapping with full cooperation from most of the major telco's, the American public is mostly either unaware of the issue, or seemingly apathetic. The German public, on the otherhand, is almost in an uproar over the revelations that the German gov't can/may listen in on Skype calls LEGALLY.

        The difference in public reaction is likely due to the histories of our respective nations. The Germans populace went through a period where a lunatic dictator brought on the downfall of the nation. Today in Germany, school children from age 5 upwards learn about this terrible time in the Nation's history and because of the openness and recognizance of today's germany with respect to its recent history, its population are very very wary of allowing Government too much power over its people. In the US, on the otherhand, the government have been passing laws stripping our privacy using 9/11 as justification. The recent realization that there will be little to no backlash from the American populace as a whole has only encouraged our government to continue with such laws as the "Patriot Act" that slowly strip away our rights and give the Executive Branch ever more power.

    • Re:Germany (Score:5, Insightful)

      by hkl387 ( 565152 ) on Saturday January 26, 2008 @01:29PM (#22194704)
      This is not about Germany's past, this is a global issue of today.

      According to a 2007 International Privacy Ranking [privacyinternational.org], there is "weakened protection" in Germany, while the UK and the US are ranked as "endemic surveillance societies".

      Yes, we are very concerned about German authorities pushing to weaken our rights, but we also need to understand that Citizen's rights are under attack all around the world these days. Stereotypes are not helpful, we've got to stand up for our rights together.
  • so what? (Score:2, Insightful)

    by Anonymous Coward
    They already have the ability to spy on you for normal phone calls. This just does the same thing for skype. In fact it's less bad since they can't do it on a mass scale; they have to come to the house of the person they want to install on or risk no knowing enough about your computer systems. What's the big hype? It's a very clear lesson; if you can't afford to protect your machine physically (and very few of us can afford that against something as powerful as the German Govt.) then you can't be 100%
    • The key thing is that they need a court to approve monitoring and have due legal process. This is what sets Germany apart from totalitarian societies like Saudi Arabia, China, the USA and Sudan.

      In reality, however, one only has to claim that something you do, or something you know does, or something somebody who knows somebody who knows you does, is somehow unconstitutional, and they can listen to all your communications. You won't even know about it.

      So, in practice, there is little fundamental difference,

  • by trelayne ( 930715 ) on Saturday January 26, 2008 @09:41AM (#22193102)
    If Germany can do it, do we really think it hasn't already been done in the states? Skype, is very popular and would be a logical means for governments to monitor conversations---especially when said program touts itself as being encrypted and secure. So the German revelations are likely a national security goof.
    • by Kadin2048 ( 468275 ) <slashdot@kadin.xoxy@net> on Saturday January 26, 2008 @10:38AM (#22193470) Homepage Journal

      If Germany can do it, do we really think it hasn't already been done in the states?
      Skype, is very popular and would be a logical means for governments to monitor
      conversations---especially when said program touts itself as being encrypted and
      secure. So the German revelations are likely a national security goof.
      More than that, while the Germans have to install this aftermarket snooping program, it wouldn't surprise me if Ebay provided a convenient backdoor in the code so that the U.S. government can do the same thing without going to all the trouble and expense (both of third-party software, and warrants).

      How exactly Skype implements encryption has never been made public. Anyone using it for secure communications is a fool. The only person it's good against is some script kiddie on your LAN or in the coffee shop where you're using a hotspot. The only person calling it "secure" is Skype/Ebay, and since they haven't opened the code up for auditing by disinterested third parties (someone like, say, Bruce Schneier), it's really not guaranteed to be anything more than snake oil.

      For all you know, every time you make a call, Skype could be forwarding the key to a central server and then sending them in bulk to the FBI. That's the price of using a closed-source security product where the vendor has an obvious interest in selling you out to the authorities.
      • Or, even IF Skype is not sending data to the FBI all the gov would have to do is get a spy on the inside, pilfer some documentation, send it to the NSA and presto they will have all they need to clandestinely monitor skype conversations.
      • True, Skype has never released the kind of documentation that would give a cryptographer or security professional any confidence. But some things have been made public by reverse engineers: www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf
      • by rtechie ( 244489 )

        it wouldn't surprise me if Ebay provided a convenient backdoor in the code

        They haven't. Doing so would require reimplementing SSL (they haven't) or simply not encrypting the traffic at all (they are encrypting it). Key exchange is client-to-client in Skype, and they are not silently redirecting the keys to a third party. Though Skype is ostensibly proprietary, the specs are widely available and outside security experts have tested Skype [zdnet.com].

    • exactly, this is why i always insist on the use of Navajo codetalkers when using Skype. so what if sometimes i order a pizza and instead they deliver buffalo [wings], it's worth it for the piece-of-mind.
  • da (Score:2, Funny)

    by Anonymous Coward
    Da, zis ceetezens arse iz goodentite.
  • If the German authorities know how to use Skype as a trojan, then I'll bet that others do too.
    I'm not too familiar with skype and its relation to firewalls but wasn't there an article or two(and this [cyberciti.biz]) about Skype's ability to use voodoo to penetrate firewalls? Any alternative clients? I'm not by any means an expert, by the way :)
  • by gnasher719 ( 869701 ) on Saturday January 26, 2008 @09:50AM (#22193168)
    Does anyone know how a man-in-the-middle attack against SSL, as mentioned in the article, is supposed to work?

    The only possibility that I can see is to modify the browser itself, so that when the user tries to get a secure connection to www. criminals.com, the browser contacts www. police.de instead, gets a valid certificate from the police, while the police's computer then makes a secure connection to www. criminals.com.
    • Re: (Score:3, Informative)

      by Raven42rac ( 448205 ) *
      mac spoofing, arp poisoning, dns spoofing, and a fake certificate
      • by gnasher719 ( 869701 ) on Saturday January 26, 2008 @10:13AM (#22193310)

        mac spoofing, arp poisoning, dns spoofing, and a fake certificate
        Yes, I forgot that if they are able to install software on your computer, they might also be able to install a root certificate created by the police, and send you a kind-of-genuine certificate for www.terrorists.com, signed by www.police.de. Or they _might_ be able to convince a certificate authority to give them an actual, valid certificate for www.terrorists.com, which would be a bit worrying.

        With a minute of thinking: The first method would be much better, because they don't need to know ahead who I am going to contact.

        With another minute of thinking: My computer has for example four Verisign root certificates installed. Does that mean that Verisign (I only take them as an example) could technically install a box with a computer into the phone line 50 meters away from my house, and do a man-in-the-middle attack by creating genuine Verisign certificates for any SSL connection that I make, without breaking into my home or doing anything to my computer at all? And the only trace that I would have would be the curious fact that everyone I contact uses certificates signed by Verisign?

        With a further minute of thinking: My computer has about 100 root certificates installed that came with Leopard, and similar things happen for Windows users. I have no idea where these certificates come from; I just have to trust Microsoft and Apple. If the police could convince Microsoft and Apple to put a root certificate owned by the police into their installers, then the police could read anyone's SSL connections without breaking into their homes (but breaking into their connection a bit further down the line)?
        • If they have access to your computer to install an extra root certificate they could also patch your web browser to not check root certificates.
        • Yes, I forgot that if they are able to install software on your computer, they might also be able to install a root certificate created by the police, and send you a kind-of-genuine certificate for www.terrorists.com, signed by www.police.de. Or they _might_ be able to convince a certificate authority to give them an actual, valid certificate for www.terrorists.com, which would be a bit worrying.

          If they DNS spoof and redirect traffic to one of their servers, and have a valid certificate for "whateversite.c

        • by Rich0 ( 548339 ) on Saturday January 26, 2008 @03:32PM (#22195478) Homepage
          You are completely correct. When you tell your browser to trust a root certificate - that means exactly what it sounds like it means. Whoever has the signing keys to that root cert can make your browser think that any site is legit for any domain name.

          Many companies install their own root certs so that they can sign their own intranet ssl certs (rather than pay for a ton of them for every little web-based app they install). That gives those same companies the ability to man-in-the-middle any web connection from one of their browers.

          Nothing new here - if somebody can get you to install stuff on your computer they can generally do whatever they want with it if they are unscrupulous.
        • by Burz ( 138833 )

          My computer has for example four Verisign root certificates installed. Does that mean that Verisign (I only take them as an example) could technically install a box with a computer into the phone line 50 meters away from my house, and do a man-in-the-middle attack by creating genuine Verisign certificates...

          As it happens, Verisign is brazenly advertising "lawful intercept" services [verisign.com] and you can find pages gushing about it right on their website.

          So, yes, for a fee they will ab/use their position as Trusted Third Party [coverpages.org] and fake authorization of certificates to facilitate MITM attacks. But their M.O. is to subcontract to the telecoms/ISPs, so they would never need to do anything as messy as installing a box on your street.

    • Re: (Score:3, Interesting)

      To redirect the user from www.criminals.com to www.police.de, they only have to intercept DNS calls (unless the criminals have edited their /etc/hosts or Windows equivalent, but if they get a trojan in, that shouldn't be too hard to change as well). The only thing which might be problematic is to get a valid certificate. But then, they probably can get that by just connecting themselves (which they'll do anyway if they do a man-in-the-middle). AFAIK the certificate only contains the domain name, not the ser
    • Re: (Score:2, Interesting)

      by Anonymous Coward
      Does anyone know how a man-in-the-middle attack against SSL, as mentioned in the article, is supposed to work?

      Probably in the same way that governments perform any other interception methods, full cooperation from corporations.

      Look at who Narus, the manufacturer of big honkin' communication vacuums that the NSA has installed at ATT and other telco's, partners with:

      http://www.narus.com/partners/index.html [narus.com]

      VeriSign offers the entire suite of Narus products to its global customer base as managed services or li

    • I am blown away by how much trust people place in their certificate authorities!
    • by Tuoqui ( 1091447 )
      MITM Attack Vectors for a Police/Spy Agency

      1) Attack the machine via Trojans or what have you.
      2) Poison the hosts file to point www.verisign.com or whatever to your server you have setup.
      3) Poison the DNS server(s) to do the same as #2.
      4) Hijack the upstream router and make a routing entry to your own server. (You can make your interception server do both DNS *AND* SSL then)
      5) Attack the receiving machine via trojans or similar methods to the above.

      The scary thing is this would actually work. Almost noone c
      • by Burz ( 138833 )
        Numbers 2 & 3 would cause the browser's internal cert to mismatch the fake CA's private key. SSL is proof against this attack. Number 4, still can't fake the cert without the user explicitly accepting it.

        Numbers 1 & 5 are not MITM at all. These are trojan/intrusion attacks at the source. If someone can place their code on your system, then you got a lot more to worry about than SSL transmissions.
  • by Anonymous Coward
    Germany has/had some wonderful privacy legislation, but in the last year or so they're heading in the other direction...

    What's interesting here is the collection of evidence by installing spyware: if forensic analysis of a disk means absolutely nothing may be installed/changed/touched on the disk, how are they allowed to install their own software? does this invalidate any evidence they collect for use in a court, or are civil law courts a bit more flexible with such things?

    Secondly, the problem here doesn'
    • "....software?"

      Good question. The best answer is, the bavarian minister has exactly no idea of software and how it works. He shares his unknowledge with his federal counterpart Wolfgang Schäuble, the guy responsible for the so called "Federal Trojan" (Bundestrojaner).

      http://en.wikipedia.org/wiki/Wolfgang_Sch%C3%A4uble [wikipedia.org]
  • by WK2 ( 1072560 ) on Saturday January 26, 2008 @09:53AM (#22193186) Homepage
    Skype is not securely encrypted. The only client is closed source, and the protocol is not open, nor peer-reviewed. The developers themselves have said that security analysts would probably quickly find holes if they opened the source.

    It is less likely that thieves and spies, etc, will be able to eavesdrop on your Skype conversations than with a plain old phone. But don't treat it as secure communications.

    http://en.wikipedia.org/wiki/Skype [wikipedia.org]
    • Re: (Score:3, Interesting)

      I would have to take issue with your statement.

      According to this: http://www.ossir.org/windows/supports/2005/2005-11-07/EADS-CCR_Fabrice_Skype.pdf [ossir.org]

      Skype seems to use AES for the VOIP payload, and RC4 for signaling packets.

      Naturally, although AES is an excellent algorithm, it will fail if the implementation is weak, especially in the key handling.

      I agree that the code is largely obfuscated, and without open source, it would be a nightmare to expect to rely on its security.

      However, there was an "independent"
      • Re: (Score:3, Informative)

        by WK2 ( 1072560 )

        It's nice that Skype is at least smart enough not to use DES, or ROT-13. AES is good encryption.

        Naturally, although AES is an excellent algorithm, it will fail if the implementation is weak, especially in the key handling. I agree that the code is largely obfuscated, and without open source, it would be a nightmare to expect to rely on its security.

        I couldn't agree with you more.

        However, there was an "independent" review of Skype, which I understand was able to review the source code.

        You put "independent" in quotes. After reading the pdf you linked to, I could see why. From the pdf:

        You may imagine my delight when, in April 2005, Skype contacted me and invited me to compete for the job of performing an independent evaluation of Skype information security

        Skype thinks they are hiring an independent evaluator? I wonder how many independent evaluators they had to go through before they found one who was confident in Skype's security, so that they could display how secure they are.

        So to summarize, we have:

        + Skype uses a good,

        • Re: (Score:3, Informative)

          Yes, I did quote "independent", because of the conditions under which the inspection was made.

          However, before everyone rushes to judgment -- the guy who did the evaluation appears to have impressive credentials for assessing the effectiveness of implementation of encryption algorithms.

          Check out his page: http://www.anagram.com/berson/ [anagram.com]

          In my opinion, as a crypto dilettante, this guy Tom Berson is the real deal.

          Of course, Skype showed him selected parts of the code, which may or may not be in the final produc
        • Re: (Score:2, Interesting)

          by 0ptix ( 649734 )
          Using AES alone is definitely no guarantee of having established a secure communication channel. An at least equally important question is how key's are established and distributed. You did not mention any public key cryptography. AES is a symmetric key algorithm so how do two clients who've never talked with each other set up there first secure connection? Further AES is an encryption algorithm so it proves secrecy, but not automatically provide authentication. Especially with a known protocol this can lea
  • I don't believe for 1 minute that the "encryption" included with Skype is secure or should we say "escrow key free", do you?
  • by budword ( 680846 ) on Saturday January 26, 2008 @10:10AM (#22193296)
    Yeah, but does it run on Linux ? Anyone know if said software will end up on your linux box ?
  • I for one (Score:5, Insightful)

    by MrCopilot ( 871878 ) on Saturday January 26, 2008 @10:17AM (#22193338) Homepage Journal
    am glad i live in a country where these abuses of privacy are outlawed by the constitution and the government would never even think to monitor our voice and data transmissions.

    That is why I am proud to be an American. They what, Oh damn.

  • What about China? (Score:2, Interesting)

    by Toddlerbob ( 705732 )
    As pointed out in a comment above, if Germany does it, why not the USA? (Especially with all the secrecy and propensity to spy on citizens that the USA feds have these days)

    I'm wondering now about China. I remember that Skype was, for a short time, on slippery footing for continued operations in the People's Republic. Then, for some reason, there was no longer a problem. I can't help but suspect that Skype may have opened up its code to China in order to continue operating there. The Chinese government liv

  • is an idiot. Do you think that the USA, England France, Germany, China, and Russia would allow its citizen to communicate without their knowing? ALL of them have the ability to listen in on the calls. Heck the fact that the calls exist in China tells you that THEY have it. Do you think they cracked it? Nope. They will simply have bought or stolen it from another country (most likely America). And I suspect that even if we (America) did not have it, we would also resort to obtaining it from elsewhere. After
  • We should prick a hole in the stiff trojan front erected to cover these pricks.
  • The only encryption worth trusting is end-to-end, where at least one end is verified secure by you (because inevitably you'll have to trust the person at the other end, no matter how secure their tech is). Why would I trust Skype to be the middleman? Either to ensure the encryption works, or not to allow backdoors (designed or unexpected) in their carriage of the signals.

    When the network and all its intermediary nodes don't have to be trusted, because they just carry opaque traffic that only the endpoints c
    • In the US, that would mean no peeking without prior evidence showing probable cause, decided and kept track of by a judge, according to the law. HA! Hahahahahahahahahahahahahahahahahahahahaha! *breaths for a bit* HA! In the US that would require someone saying that you are a terrorist. No evidence/probable cause/judge/oversight whatsoever needed. Pedophile may also work.
      • Despite the many critical exceptions and the overall downward trend, practically all searches in the US are overseen by a judge (except for the major critical exception of vehicle searches).

        Just because Bush has shredded the 4th Amendment in a long line of presidents and Congresses trampling it doesn't mean Americans like me are giving up on our rights. Especially when they're still usually protected.
  • 9-11, 9-11, they will cower in fear and let the government do whatever the hell it wants.

    Er, wait a sec, did you say Germany? Hmm. Maybe we'll get to see what it looks like when an the public, enraged by the abuses of their government, shows the bastards who's boss.
    • Re: (Score:3, Funny)

      by jollyreaper ( 513215 )

      an the public
      Schiesse. Maybe next they'll show us how to proofread. :(
    • 9-11, 9-11, they will cower in fear and let the government do whatever the hell it wants.

      Er, wait a sec, did you say Germany? Hmm. Maybe we'll get to see what it looks like when an the public, enraged by the abuses of their government, shows the bastards who's boss.

      Sounds familiar. Didn't the German people do exactly that when they chose Hitler to tear apart their perceived bondage and servitude to the Internationalists? The German people reacted with a violent xenophobia that ultimately gave rise to the second world war. The German people targeted one group in particular, because they were incensed at their perceived control over Germany's finances, media and political apparatus and their perceived ruthlessness; squeezing the German people mercilessly and withou

  • Maybe, but... (Score:3, Informative)

    by TransEurope ( 889206 ) <[ed.znelbok-inu] [ta] [caine]> on Saturday January 26, 2008 @11:47AM (#22193970)
    ...they were never hired by the CIA/NSA. They were all hired by the German Government to found the Bundesnachrichtendienst (Germany's Federal Secret Service) and the MAD (Military Counter Intelligence Service) in 1956 ;-)
  • by J'raxis ( 248192 ) on Saturday January 26, 2008 @02:36PM (#22195176) Homepage

    Anyone who thinks fascism in Germany ended with the fall of Nazism is severely mistaken.

...there can be no public or private virtue unless the foundation of action is the practice of truth. - George Jacob Holyoake

Working...