German Govt. Skype Interception Trojans Revealed 172
James Hardine writes "Wikileaks has released documents from the German police revealing Skype interception technology. The leaks are currently creating a storm in the German press. The first document is a communication by the Ministry of Justice to the prosecutors office, about the cost splitting for Skype interception. The second document presents the offer made by Digitask, the German company secretly developing Skype interception, and holds information on pricing and license model, high-level technology descriptions and other detail. The document is of global importance because Skype is used by tens or hundreds of millions of people daily to communicate voice calls and Skype (owned by Ebay, Inc) promotes these calls as being encrypted and secure. The technology includes interception boxes, key forwarding trojans and anonymous proxies to hide police communications."
Germany (Score:2, Interesting)
Re: (Score:2, Interesting)
Germany still seems to have a lot of it's old attitudes lying around. Installing trojans on the computers of it's citizens for the purpose of listening to skype calls is way beyond what I would expect from a country like Germany. Then again, they still can't have video games with Nazis or blood in them. How long before someone packages up a Linux live CD with Skype preinstalled so that you can ensure you're computer isn't compromised when making phone calls?
1. It is legal (if you get permission from a judge etc.) to listen in to phone conversations. 2. With Skype using 256 bit encryption, the police cannot do in practice what it is allowed to do legally. 3. Some company makes software/hardware that enables the police to do what they are allowed to do legally.
It seems to be necessary to install some software on the user's computer to achieve this. As long as this software doesn't do anything but opening up Skype communications, it doesn't do anything that w
Re:Germany (Score:5, Insightful)
Re:Germany (Score:4, Insightful)
Telcom wiretapping (Score:2)
Re:Germany (Score:5, Insightful)
tl;dr - No one has to convince you to pick up a tapped phone.
Re: (Score:3, Interesting)
So? It's a trojan, meaning that one has to willingly open it; more bluntly, it means that the police will need to trick people into opening them.
Here in the USA, the police will break into your house to install keyloggers and such. Hardware keyloggers, usually. They will only send something through email if they don't know who you are (such as virus writers) and they do it to find out who, and where you are, not to listen to your phone calls. The problem with sending software trojans is that it usually doesn't work, and might get noticed.
Re: (Score:2)
On another note, I'm quite surprised that only Windows 2k/XP are mentioned in the article. Police quietly breaking in and installing spyware would never cross my mind otherwise, but if I'm going to come home to a different OS I might get suspicio
When the Bundeskriminalant hands you a bug... (Score:2)
Mike: "Gee, Zonker, I bet this frame up really has you upset."
Zonker: "Yeah, Mike, you know me -- I get high on LIFE! And AMERICA!"
Guy wearing headphones: (thinks) "Oops...."
Re:Germany (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Your privacy, Your liberty, Your freedom (Score:5, Insightful)
It seems to be necessary to install some software on the user's computer to achieve this. As long as this software doesn't do anything but opening up Skype communications, it doesn't do anything that would affect the user's rights. All their Skype communications can only be heard by people who are legally allowed to hear it - even though one of them is the police, which is not the _intended_ recipient.
I point this out to illustrate, essentially, that legality does not necessarily have anything whatsoever to do with acceptability. It is our responsibility to stop this madness. I do not believe that governments have the right to invade our lives in these ways. I do not believe the government has the right to install a virus on my computer for the purpose of taking my skype keys. We all know that the various governments around the world are infiltrated by all manner of nasty organizations. If the government has a virus in my computer, then is it safe for me to transfer funds using online banking on my computer? How do I know that there aren't members of some criminal syndicate that are working for the government that have access to that virus?
No. If someone breaks my door down, I don't care if it is a policeman, a soldier, a thief or a vampire, I have the right and obligation to defend my family and my space with deadly force. If someone breaks into my computer, I have the right and obligation to eliminate that threat and to help others do the same. We all need to take these transgressions on our personal space, lives and property much more seriously. When will we fight back? When they want to put an implant in our brains to read and control our thoughts?
When is it enough, people??
Not so terrifying (Score:2)
Re: (Score:2)
Re: (Score:2)
Personally I think that you are being a bit paranoid here about your response. It makes you as bad as the group you rally against.
How? I'm not sure I understand your implication? Are you saying that if a soldier breaks my door down in the middle of the night intending to pull me out of bed and drag me off to be tortured in some secret detention center for voting for Ron Paul that I shouldn't use deadly force to stop him?
Or do you just think that it is paranoid to think that anyone might want to do that to someone just because they support Ron Paul?
Are you against defending your family? If someone breaks your door down, would
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Not to say that you wouldn't be justified, but we cannot allow individuals to start shooting soldiers/police officers every time they think their impending imprisonment is unjustified.
Yes, this is a slippery slope. Really, I was imagining being Jewish in nazi germany when I wrote what I wrote. We live in very different times today. But where is the line? At what point is extreme defense a reasonable response?
Clearly, when we live in a sane society where human rights are respected and the rule of law is fair and balanced, extreme defense is an abomination.
Equally clearly, if we live in a tyrannical totalitarian regime where you run the risk of going to the gas chamber for your
Re: (Score:2)
No. If someone breaks my door down, I don't care if it is a policeman, a soldier, a thief or a vampire, I have the right and obligation to defend my family and my space with deadly force.
You had a convincing argument until this point. Now you look like a nut that has no place in a civilised society.
Clearly, this part of my post has been misinterpreted. I am not saying that one should use deadly force like some kind of paranoid reactionary. This topic was about the German government putting a virus on people's computers to steal keys in order to spy on them. This obviously resonates with people's memories about the nazi regime and that was very much in my mind when I posted. I am certain that if you asked Holocaust survivors if they, knowing then what they know today, would choose to use deadly fo
Re: (Score:2)
You probably mean "doesn't affect the user's legal rights" but how this adds up ethically is more to the point. Most of Nazi Germany's and Stalinist Russia's abominations were legal at the time according to their nation's laws! Judging a governmental authority in legal terms does not really amount to saying much when they create the laws we judge them by. We need a less transient ethical framework for that purpose (preferably one which includes the right-to-privacy, innocent until proven guilty etc. etc.).
Oh my lord! It sounds like you are talking about the constitution and the bill of rights. How quaint. I had almost forgotten we had those.
Re: (Score:3, Insightful)
Re: (Score:2)
Posted By: Phoenix
Date: Sunday, 9 December 2001, 3:12 a.m.
In Response To: THE BUSH FAMILY CIA & NAZI PAST (Phoenix)
This posted at Emperor's Clothes is about an article in The San Francisco Bay Guardian that discusses the recently unclassified CIA files.
There are also many more references at the end of Part Two.
Pa
Getting closer, but not seeing it clearly (Score:2)
All of the rest of it, the intrigue, the espionage, the media wars, etc... All of it is simply a tool for shaping society, forcing people to act and think in particular ways, to experiment with political systems and methods of hu
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The Indo-Iranian peoples were the opposition to the Babylonian/Egyptian wizards. They finally defeated the Assyrians.
Yea, that's why I think it was an ironic transposition in the movie. Fact inversions are part and parcel of what we see coming from these groups. They are excellent at projecting the character of who they actually are on their intended victim in order to demonize their victim and ensure that all of the blame for the resultant horrors is juxtaposed in such a way as to make the victim responsible.
Re: (Score:2)
On
Re: (Score:2, Funny)
Fixed
Re: (Score:2)
Re:Germany (Score:5, Insightful)
Germany still seems to have a lot of it's old attitudes lying around.
Yeah, because other governments would never do something like this - talk about naive. Did anybody here not realise that skype calls were going to be intercepted?
Re: (Score:2)
Naive people..... (Score:3, Insightful)
That is exactly why all the uproar. Too many stupid people looked at the magic encryption pixie dust eBay was splashing around Skype and thought it was safe. A closed implemntation of crypto by a closed corporation subject to the laws of most countries by virtue of being a multi-national. If the crypto didn't have bugs[1] a court order from any jurisdiction eBay does business in would be all that is needed t
Re: (Score:2)
A closed implemntation of crypto by a closed corporation subject to the laws of most countries by virtue of being a multi-national.
Most encryption algorithms are open standards and are same regardless of the implementation. Open or closed, the output will be the same. If they use standard AES [wikipedia.org] encryption then the data will be just as secure as it would be in a open implementation.
A backdoor in their implementation would take effort and is risky, with little gain. What use would they have for the decrypte
Re:Germany (Score:5, Insightful)
Re: (Score:2)
The key word being "TRYING" (though they may get it). Keep in mind that it was 4 years only, not YEARS. Basically, it was just this admin, started in 2002 and was finished by 2006. Hopefully the dems will NOT allow this to go unpunished.
Re:Germany (Score:5, Insightful)
My thoughts exactly. While our administration has allowed for unwarranted illegal wiretapping with full cooperation from most of the major telco's, the American public is mostly either unaware of the issue, or seemingly apathetic. The German public, on the otherhand, is almost in an uproar over the revelations that the German gov't can/may listen in on Skype calls LEGALLY.
The difference in public reaction is likely due to the histories of our respective nations. The Germans populace went through a period where a lunatic dictator brought on the downfall of the nation. Today in Germany, school children from age 5 upwards learn about this terrible time in the Nation's history and because of the openness and recognizance of today's germany with respect to its recent history, its population are very very wary of allowing Government too much power over its people. In the US, on the otherhand, the government have been passing laws stripping our privacy using 9/11 as justification. The recent realization that there will be little to no backlash from the American populace as a whole has only encouraged our government to continue with such laws as the "Patriot Act" that slowly strip away our rights and give the Executive Branch ever more power.
Re: (Score:2)
Re: (Score:2)
Re:Germany (Score:5, Insightful)
According to a 2007 International Privacy Ranking [privacyinternational.org], there is "weakened protection" in Germany, while the UK and the US are ranked as "endemic surveillance societies".
Yes, we are very concerned about German authorities pushing to weaken our rights, but we also need to understand that Citizen's rights are under attack all around the world these days. Stereotypes are not helpful, we've got to stand up for our rights together.
so what? (Score:2, Insightful)
Re: (Score:2)
In reality, however, one only has to claim that something you do, or something you know does, or something somebody who knows somebody who knows you does, is somehow unconstitutional, and they can listen to all your communications. You won't even know about it.
So, in practice, there is little fundamental difference,
Why should we be surprised? (Score:5, Insightful)
Re:Why should we be surprised? (Score:5, Insightful)
Skype, is very popular and would be a logical means for governments to monitor
conversations---especially when said program touts itself as being encrypted and
secure. So the German revelations are likely a national security goof.
How exactly Skype implements encryption has never been made public. Anyone using it for secure communications is a fool. The only person it's good against is some script kiddie on your LAN or in the coffee shop where you're using a hotspot. The only person calling it "secure" is Skype/Ebay, and since they haven't opened the code up for auditing by disinterested third parties (someone like, say, Bruce Schneier), it's really not guaranteed to be anything more than snake oil.
For all you know, every time you make a call, Skype could be forwarding the key to a central server and then sending them in bulk to the FBI. That's the price of using a closed-source security product where the vendor has an obvious interest in selling you out to the authorities.
Re: (Score:2)
Skype encryption documentation and lack thereof (Score:2)
Re: (Score:2)
it wouldn't surprise me if Ebay provided a convenient backdoor in the code
They haven't. Doing so would require reimplementing SSL (they haven't) or simply not encrypting the traffic at all (they are encrypting it). Key exchange is client-to-client in Skype, and they are not silently redirecting the keys to a third party. Though Skype is ostensibly proprietary, the specs are widely available and outside security experts have tested Skype [zdnet.com].
Re: (Score:2)
da (Score:2, Funny)
Skype and firewalls. (Score:2)
I'm not too familiar with skype and its relation to firewalls but wasn't there an article or two(and this [cyberciti.biz]) about Skype's ability to use voodoo to penetrate firewalls? Any alternative clients? I'm not by any means an expert, by the way
Man-in-the-middle against SSL? (Score:5, Interesting)
The only possibility that I can see is to modify the browser itself, so that when the user tries to get a secure connection to www. criminals.com, the browser contacts www. police.de instead, gets a valid certificate from the police, while the police's computer then makes a secure connection to www. criminals.com.
Re: (Score:3, Informative)
Re:Man-in-the-middle against SSL? (Score:4, Interesting)
With a minute of thinking: The first method would be much better, because they don't need to know ahead who I am going to contact.
With another minute of thinking: My computer has for example four Verisign root certificates installed. Does that mean that Verisign (I only take them as an example) could technically install a box with a computer into the phone line 50 meters away from my house, and do a man-in-the-middle attack by creating genuine Verisign certificates for any SSL connection that I make, without breaking into my home or doing anything to my computer at all? And the only trace that I would have would be the curious fact that everyone I contact uses certificates signed by Verisign?
With a further minute of thinking: My computer has about 100 root certificates installed that came with Leopard, and similar things happen for Windows users. I have no idea where these certificates come from; I just have to trust Microsoft and Apple. If the police could convince Microsoft and Apple to put a root certificate owned by the police into their installers, then the police could read anyone's SSL connections without breaking into their homes (but breaking into their connection a bit further down the line)?
Re: (Score:2)
Re: (Score:2)
If they DNS spoof and redirect traffic to one of their servers, and have a valid certificate for "whateversite.c
Re:Man-in-the-middle against SSL? (Score:4, Insightful)
Many companies install their own root certs so that they can sign their own intranet ssl certs (rather than pay for a ton of them for every little web-based app they install). That gives those same companies the ability to man-in-the-middle any web connection from one of their browers.
Nothing new here - if somebody can get you to install stuff on your computer they can generally do whatever they want with it if they are unscrupulous.
Re: (Score:2)
My computer has for example four Verisign root certificates installed. Does that mean that Verisign (I only take them as an example) could technically install a box with a computer into the phone line 50 meters away from my house, and do a man-in-the-middle attack by creating genuine Verisign certificates...
As it happens, Verisign is brazenly advertising "lawful intercept" services [verisign.com] and you can find pages gushing about it right on their website.
So, yes, for a fee they will ab/use their position as Trusted Third Party [coverpages.org] and fake authorization of certificates to facilitate MITM attacks. But their M.O. is to subcontract to the telecoms/ISPs, so they would never need to do anything as messy as installing a box on your street.
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2, Interesting)
Probably in the same way that governments perform any other interception methods, full cooperation from corporations.
Look at who Narus, the manufacturer of big honkin' communication vacuums that the NSA has installed at ATT and other telco's, partners with:
http://www.narus.com/partners/index.html [narus.com]
Re: (Score:2)
Re: (Score:2)
1) Attack the machine via Trojans or what have you.
2) Poison the hosts file to point www.verisign.com or whatever to your server you have setup.
3) Poison the DNS server(s) to do the same as #2.
4) Hijack the upstream router and make a routing entry to your own server. (You can make your interception server do both DNS *AND* SSL then)
5) Attack the receiving machine via trojans or similar methods to the above.
The scary thing is this would actually work. Almost noone c
Re: (Score:2)
Numbers 1 & 5 are not MITM at all. These are trojan/intrusion attacks at the source. If someone can place their code on your system, then you got a lot more to worry about than SSL transmissions.
Re: (Score:2)
Really? I thought that was the whole point of PKI and certificates. A bogus certificate would not validate and you would know. In the case of a web browser, you would normally see a dialog box that indicates that the certificate cannot be verified. Most users have by now been conditioned like Pa
It's NOT the german gov,... (Score:5, Informative)
http://www.heise.de/newsticker/suche/ergebnis?rm=result;q=skype;url=/newsticker/meldung/102375/;words=Skype [heise.de]
http://www.heise.de/newsticker/suche/ergebnis?rm=result;q=skype;url=/newsticker/meldung/102485/;words=Skype [heise.de]
Re:It's NOT the german gov,... (Score:5, Funny)
How does this affect admissibility? (Score:2, Interesting)
What's interesting here is the collection of evidence by installing spyware: if forensic analysis of a disk means absolutely nothing may be installed/changed/touched on the disk, how are they allowed to install their own software? does this invalidate any evidence they collect for use in a court, or are civil law courts a bit more flexible with such things?
Secondly, the problem here doesn'
"how are they allowed to install their own..." (Score:3, Insightful)
Good question. The best answer is, the bavarian minister has exactly no idea of software and how it works. He shares his unknowledge with his federal counterpart Wolfgang Schäuble, the guy responsible for the so called "Federal Trojan" (Bundestrojaner).
http://en.wikipedia.org/wiki/Wolfgang_Sch%C3%A4uble [wikipedia.org]
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Skype is not securely encrypted. (Score:5, Informative)
It is less likely that thieves and spies, etc, will be able to eavesdrop on your Skype conversations than with a plain old phone. But don't treat it as secure communications.
http://en.wikipedia.org/wiki/Skype [wikipedia.org]
Re: (Score:3, Interesting)
According to this: http://www.ossir.org/windows/supports/2005/2005-11-07/EADS-CCR_Fabrice_Skype.pdf [ossir.org]
Skype seems to use AES for the VOIP payload, and RC4 for signaling packets.
Naturally, although AES is an excellent algorithm, it will fail if the implementation is weak, especially in the key handling.
I agree that the code is largely obfuscated, and without open source, it would be a nightmare to expect to rely on its security.
However, there was an "independent"
Re: (Score:3, Informative)
It's nice that Skype is at least smart enough not to use DES, or ROT-13. AES is good encryption.
Naturally, although AES is an excellent algorithm, it will fail if the implementation is weak, especially in the key handling. I agree that the code is largely obfuscated, and without open source, it would be a nightmare to expect to rely on its security.
I couldn't agree with you more.
However, there was an "independent" review of Skype, which I understand was able to review the source code.
You put "independent" in quotes. After reading the pdf you linked to, I could see why. From the pdf:
You may imagine my delight when, in April 2005, Skype contacted me and invited me to compete for the job of performing an independent evaluation of Skype information security
Skype thinks they are hiring an independent evaluator? I wonder how many independent evaluators they had to go through before they found one who was confident in Skype's security, so that they could display how secure they are.
So to summarize, we have:
+ Skype uses a good,
Re: (Score:3, Informative)
However, before everyone rushes to judgment -- the guy who did the evaluation appears to have impressive credentials for assessing the effectiveness of implementation of encryption algorithms.
Check out his page: http://www.anagram.com/berson/ [anagram.com]
In my opinion, as a crypto dilettante, this guy Tom Berson is the real deal.
Of course, Skype showed him selected parts of the code, which may or may not be in the final produc
Re: (Score:2, Interesting)
Source Audit (Score:2)
The classic /. question..... (Score:3, Interesting)
Re: (Score:2, Informative)
Skype on linux is a bad idea (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
I for one (Score:5, Insightful)
That is why I am proud to be an American. They what, Oh damn.
What about China? (Score:2, Interesting)
I'm wondering now about China. I remember that Skype was, for a short time, on slippery footing for continued operations in the People's Republic. Then, for some reason, there was no longer a problem. I can't help but suspect that Skype may have opened up its code to China in order to continue operating there. The Chinese government liv
anybody who believes skype to be safe, .... (Score:2)
To paraphrase Carlin (Score:2)
End to End Only (Score:2)
When the network and all its intermediary nodes don't have to be trusted, because they just carry opaque traffic that only the endpoints c
Re: (Score:2)
Re: (Score:2)
Just because Bush has shredded the 4th Amendment in a long line of presidents and Congresses trampling it doesn't mean Americans like me are giving up on our rights. Especially when they're still usually protected.
The American people are sheep (Score:2)
Er, wait a sec, did you say Germany? Hmm. Maybe we'll get to see what it looks like when an the public, enraged by the abuses of their government, shows the bastards who's boss.
Re: (Score:3, Funny)
Re: (Score:2)
The US is not becoming like nazi Germany! (Score:2)
9-11, 9-11, they will cower in fear and let the government do whatever the hell it wants.
Er, wait a sec, did you say Germany? Hmm. Maybe we'll get to see what it looks like when an the public, enraged by the abuses of their government, shows the bastards who's boss.
Sounds familiar. Didn't the German people do exactly that when they chose Hitler to tear apart their perceived bondage and servitude to the Internationalists? The German people reacted with a violent xenophobia that ultimately gave rise to the second world war. The German people targeted one group in particular, because they were incensed at their perceived control over Germany's finances, media and political apparatus and their perceived ruthlessness; squeezing the German people mercilessly and withou
Re: (Score:2)
Maybe, but... (Score:3, Informative)
Fascism (Score:3)
Anyone who thinks fascism in Germany ended with the fall of Nazism is severely mistaken.
Re: (Score:2)