German Govt. Skype Interception Trojans Revealed

James Hardine writes "Wikileaks has released documents from the German police revealing Skype interception technology. The leaks are currently creating a storm in the German press. The first document is a communication by the Ministry of Justice to the prosecutors office, about the cost splitting for Skype interception. The second document presents the offer made by Digitask, the German company secretly developing Skype interception, and holds information on pricing and license model, high-level technology descriptions and other detail. The document is of global importance because Skype is used by tens or hundreds of millions of people daily to communicate voice calls and Skype (owned by Ebay, Inc) promotes these calls as being encrypted and secure. The technology includes interception boxes, key forwarding trojans and anonymous proxies to hide police communications."

so what?

[Anonymous Coward]

They already have the ability to spy on you for normal phone calls. This just does the same thing for skype. In fact it's less bad since they can't do it on a mass scale; they have to come to the house of the person they want to install on or risk no knowing enough about your computer systems. What's the big hype? It's a very clear lesson; if you can't afford to protect your machine physically (and very few of us can afford that against something as powerful as the German Govt.) then you can't be 100% sure of your security.

The key thing is that they need a court to approve monitoring and have due legal process. This is what sets Germany apart from totalitarian societies like Saudi Arabia, China, the USA and Sudan.

Why should we be surprised?

[trelayne]

If Germany can do it, do we really think it hasn't already been done in the states? Skype, is very popular and would be a logical means for governments to monitor conversations---especially when said program touts itself as being encrypted and secure. So the German revelations are likely a national security goof.

Nothing is secure if your machine is compromized

[Anonymous Coward]

This is what I hate about so-called security "holes." Nothing is secure if your machine is compromised with malware. TruCrypt, SSL, PGP, encrypted Skype, and anything else are only as secure as the morons using them and the box(es) they are running on.

Re:Germany

[TransEurope]

An to do the same without public announcement is better? Or what "old attitudes" have CIA and NSA? Are they Nazis too? Or worse?

Re:Germany

[CastrTroy]

The police are allowed to tap regular phone lines because they don't have to intrude on your property to do it. Just like they can stake out your house from a van on the road. They aren't allowed to walk into your house and watch you all day. Once they start installing trojans on computers for listening to skype calls, it's not a far stretch from them installing trojans to record every action you do on your computer.

Re:Germany

[trewornan]

Germany still seems to have a lot of it's old attitudes lying around.

Yeah, because other governments would never do something like this - talk about naive. Did anybody here not realise that skype calls were going to be intercepted?

Re:Germany

[Aardpig]

As someone else has pointed out, it is legal in Germany for police to monitor phone calls, when they get appropriate authorization from a judge. Contrast this with the United States, where the administration is trying to award retroactive immunity to itself and telcos for years of illegal phone surveillance.

"how are they allowed to install their own..."

[TransEurope]

"....software?"

Good question. The best answer is, the bavarian minister has exactly no idea of software and how it works. He shares his unknowledge with his federal counterpart Wolfgang Schäuble, the guy responsible for the so called "Federal Trojan" (Bundestrojaner).

http://en.wikipedia.org/wiki/Wolfgang_Sch%C3%A4uble [wikipedia.org]

I for one

[MrCopilot]

am glad i live in a country where these abuses of privacy are outlawed by the constitution and the government would never even think to monitor our voice and data transmissions.

That is why I am proud to be an American. They what, Oh damn.

Re:Why should we be surprised?

[Kadin2048]

If Germany can do it, do we really think it hasn't already been done in the states?
Skype, is very popular and would be a logical means for governments to monitor
conversations---especially when said program touts itself as being encrypted and
secure. So the German revelations are likely a national security goof.

More than that, while the Germans have to install this aftermarket snooping program, it wouldn't surprise me if Ebay provided a convenient backdoor in the code so that the U.S. government can do the same thing without going to all the trouble and expense (both of third-party software, and warrants).

How exactly Skype implements encryption has never been made public. Anyone using it for secure communications is a fool. The only person it's good against is some script kiddie on your LAN or in the coffee shop where you're using a hotspot. The only person calling it "secure" is Skype/Ebay, and since they haven't opened the code up for auditing by disinterested third parties (someone like, say, Bruce Schneier), it's really not guaranteed to be anything more than snake oil.

For all you know, every time you make a call, Skype could be forwarding the key to a central server and then sending them in bulk to the FBI. That's the price of using a closed-source security product where the vendor has an obvious interest in selling you out to the authorities.

Re:Germany

[STrinity]

The police are allowed to tap regular phone lines because they don't have to intrude on your property to do it.

No, they're allowed to tap phone lines because they get court orders saying they can. Do you think courts have never issued warrants allowing police to place bugs on a suspect's property?

Skype on linux is a bad idea

[Werrismys]

It's closed, proprietary crap after all.

Re:Germany

[Nullav]

So? It's a trojan, meaning that one has to willingly open it; more bluntly, it means that the police will need to trick people into opening them. Also, with this information out in the open now, anyone with a lick of sense will be even more wary of such rogue email attachments.

tl;dr - No one has to convince you to pick up a tapped phone.

Wikileaks author is a jerk...

[Anonymous Coward]

for not poiting out in the translation that they did this because of a criminal investigation. As long as a judge has allowed telephone interception for this case there is really no reason for all this 'German Nazi history' blahblah that slashdotters love to get all worked up about.

Naive people.....

[jmorris42]

> talk about naive. Did anybody here not realise that skype calls were going to be intercepted?

That is exactly why all the uproar. Too many stupid people looked at the magic encryption pixie dust eBay was splashing around Skype and thought it was safe. A closed implemntation of crypto by a closed corporation subject to the laws of most countries by virtue of being a multi-national. If the crypto didn't have bugs[1] a court order from any jurisdiction eBay does business in would be all that is needed to open calls to police ears.

If you want security it has to come from public crypto protocols implemented by open software running on open platforms. And even then, after you install openBSD, and carefully encrypt all of the partitions (even swap), you better make damned sure you keep physical control lest somebody install a keylogger and recover the passphrases.. and 'they' almost certainly can even manage it in laptops or handhelds!

[1] A really big IF, requiring a 'willing suspension of disbelief' if ever anything did to buy.

Re:Germany

[Yahma]

My thoughts exactly. While our administration has allowed for unwarranted illegal wiretapping with full cooperation from most of the major telco's, the American public is mostly either unaware of the issue, or seemingly apathetic. The German public, on the otherhand, is almost in an uproar over the revelations that the German gov't can/may listen in on Skype calls LEGALLY.

The difference in public reaction is likely due to the histories of our respective nations. The Germans populace went through a period where a lunatic dictator brought on the downfall of the nation. Today in Germany, school children from age 5 upwards learn about this terrible time in the Nation's history and because of the openness and recognizance of today's germany with respect to its recent history, its population are very very wary of allowing Government too much power over its people. In the US, on the otherhand, the government have been passing laws stripping our privacy using 9/11 as justification. The recent realization that there will be little to no backlash from the American populace as a whole has only encouraged our government to continue with such laws as the "Patriot Act" that slowly strip away our rights and give the Executive Branch ever more power.

Re:Germany

[hkl387]

This is not about Germany's past, this is a global issue of today.

According to a 2007 International Privacy Ranking [privacyinternational.org], there is "weakened protection" in Germany, while the UK and the US are ranked as "endemic surveillance societies".

Yes, we are very concerned about German authorities pushing to weaken our rights, but we also need to understand that Citizen's rights are under attack all around the world these days. Stereotypes are not helpful, we've got to stand up for our rights together.

Re:Man-in-the-middle against SSL?

[Rich0]

You are completely correct. When you tell your browser to trust a root certificate - that means exactly what it sounds like it means. Whoever has the signing keys to that root cert can make your browser think that any site is legit for any domain name.

Many companies install their own root certs so that they can sign their own intranet ssl certs (rather than pay for a ton of them for every little web-based app they install). That gives those same companies the ability to man-in-the-middle any web connection from one of their browers.

Nothing new here - if somebody can get you to install stuff on your computer they can generally do whatever they want with it if they are unscrupulous.

Your privacy, Your liberty, Your freedom

[iendedi]

1. It is legal (if you get permission from a judge etc.) to listen in to phone conversations. 2. With Skype using 256 bit encryption, the police cannot do in practice what it is allowed to do legally. 3. Some company makes software/hardware that enables the police to do what they are allowed to do legally.

It seems to be necessary to install some software on the user's computer to achieve this. As long as this software doesn't do anything but opening up Skype communications, it doesn't do anything that would affect the user's rights. All their Skype communications can only be heard by people who are legally allowed to hear it - even though one of them is the police, which is not the _intended_ recipient.

In the US, today, the government can legally decide that you might be a terrorist (you know, like you support Ron Paul, for instance, who is very terrifying to them). Once so implicated, they can legally break down the door to your house, pull you from your bed, take you to a detention center, refuse to give you a phone call, hold you for as long as they like, torture you and so forth. If they decide to release you, they are not legally obligated to in any way compensate you for your life that they just demolished.

I point this out to illustrate, essentially, that legality does not necessarily have anything whatsoever to do with acceptability. It is our responsibility to stop this madness. I do not believe that governments have the right to invade our lives in these ways. I do not believe the government has the right to install a virus on my computer for the purpose of taking my skype keys. We all know that the various governments around the world are infiltrated by all manner of nasty organizations. If the government has a virus in my computer, then is it safe for me to transfer funds using online banking on my computer? How do I know that there aren't members of some criminal syndicate that are working for the government that have access to that virus?

No. If someone breaks my door down, I don't care if it is a policeman, a soldier, a thief or a vampire, I have the right and obligation to defend my family and my space with deadly force. If someone breaks into my computer, I have the right and obligation to eliminate that threat and to help others do the same. We all need to take these transgressions on our personal space, lives and property much more seriously. When will we fight back? When they want to put an implant in our brains to read and control our thoughts?

When is it enough, people??