Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Communications Security Your Rights Online

European Crackdown On Skype "Loophole" 230

angry tapir writes "Suspicious phone conversations on Skype could be targeted for tapping as part of a pan-European crackdown on what law authorities believe is a massive technical loophole in current wiretapping laws, allowing criminals to communicate without fear of being overheard by the police. Eurojust, a European Union agency responsible for coordinating judicial investigations across different jurisdictions, has announced the opening of an investigation involving all 27 countries of the European Union."
This discussion has been archived. No new comments can be posted.

European Crackdown On Skype "Loophole"

Comments Filter:
  • by Spazztastic ( 814296 ) <spazztastic @ g m a i l . c om> on Monday February 23, 2009 @07:38AM (#26956173)
    Or allowing law abiding citizens to speak with their relatives in hostile countries without worry of big brother listening.
    • by TheRaven64 ( 641858 ) on Monday February 23, 2009 @07:45AM (#26956211) Journal

      And what sensible criminal would use Skype anyway? If you care about potential eavesdroppers, you don't use proprietary encryption, and especially not proprietary encryption over a proprietary protocol that has been shown to be insecure (see the Black Hat paper).

      If you want security, run SIP over SRTP, with clients that have undergone third-party security audits.

      • by orzetto ( 545509 ) on Monday February 23, 2009 @08:58AM (#26956725)

        If criminals knew that much about IT, they would have an IT career, not a criminal one.

        Most criminals are at best casual users of computers. While they might hire a whiz kid to encrypt their calls, that is quite rare: hiring someone from outside the criminal environment to encrypt communications opens a much larger security hole than Skype ever could.

        You are assuming that the knowledge level common here on Slashdot is common in the real world. It isn't. I remember that Bernardo Provenzano, head of the Sicilian Mafia, used a Caesar cipher using a bible as key to send its orders around, and someone here on Slashdot commenting "what, he does not know of PGP?!?".

        • Re: (Score:3, Interesting)

          by mdwh2 ( 535323 )

          If criminals knew that much about IT, they would have an IT career, not a criminal one.

          Unlikely - that argument might work for petty thieves, but not major criminals, especially terrorists whose motivation is often not money in the first place.

        • by morgan_greywolf ( 835522 ) on Monday February 23, 2009 @09:09AM (#26956827) Homepage Journal

          You're kidding right? IF terrorists can learn to fly a jumbo jet, which, mind you, is a very complex beast that requires a lot of training, simulator, and real-world flying time to be able to fly one, or if they can become munitions experts, what's to stop terrorists from becoming IT experts?

          Nothing. Nothing at all. Terrorists can take the same classes you took, take the same training you took, and learn as much about IT as you did.

          Anyone determined enough to kill a bunch of people in order to achieve notoriety for their cause can learn just about anything if they think it will help them achieve their gol.

          • Re: (Score:3, Funny)

            by N Monkey ( 313423 )

            You're kidding right? IF terrorists can learn to fly a jumbo jet, which, mind you, is a very complex beast that requires a lot of training, simulator, and real-world flying time to be able to fly one,

            Surely, "the flying" of a modern jet is not the difficult part - it's "the landing".

            • by gomiam ( 587421 )
              Actually, I think the really difficult part is the take-off. I have heard about planes being able to land (in adequate conditions) since the 90s at least. See non-primary reference [wikipedia.org] (no Wilhelm name was added when I read it).
              • Re: (Score:3, Interesting)

                Speaking as a pilot, I have to say it's landing that's more difficult. There are autopilot systems that can take off, fly, and land, but landing's the challenging one.
                But in any case, the reason you have a pilot is for when things go wrong. When things are going right, a monkey could take off, fly, and land a plane. When things go wrong, it takes knowledge to know what has gone wrong, and how to survive it. That's where the difficulty comes in.

                I can't find the graph online but there's a neat graph that'

          • You're kidding right? IF terrorists can learn to fly a jumbo jet, which, mind you, is a very complex beast that requires a lot of training, simulator, and real-world flying time to be able to fly one, or if they can become munitions experts, what's to stop terrorists from becoming IT experts?

            They learned to "fly" a jumbo jet mostly from training in a Cessna 172 - a dinky four seat single engine propellor driven aircraft.

            The thing is, after you've learned how to use the navigation equipment, actually FLYING a jumbo jet isn't THAT hard, and isn't that different at all from flying any other airplane. Landing, takeoff, and other special situations that don't always crop up are where these things get more difficult, but the 9/11 terrorists didn't need to worry about those parts.

            All in all, grabbing

            • Re: (Score:2, Insightful)

              Um, at least two of those planes (probably all of them) were steered hundreds of miles off course by the terrorists.

              • Which doesn't entail landing or taking off. Most small planes used for training are equipped with AT LEAST a VOR. Just a VOR + a compass (or directional gyro) is all you need to navigate a plane virtually anywhere in the country, regardless of size.

                And if you give me a decently bright person, I could have them able to correctly navigate using a VOR within hours.

          • by orzetto ( 545509 )

            You are looking at the worst-case scenario. Of course some very motivated criminals may well use advanced cryptography (or learn to fly jumbo jets), but most do not. If you are looking at some run-of-the-mill picciotto (mafia soldier), or even a mafia boss, he will hardly know how to spell properly, let alone using a computer. Using Skype is already pretty advanced for their standards.

            Of course you get also experts. But, the kind of 9/11 conspirators you are thinking about are few and far between, and consi

            • Re: (Score:2, Insightful)

              Mafia bosses have money and can hire whatever talent he wants. Heck, he could even offshore it. It's not like these Indian offshoring companies are asking who their customers are how their work is going to be used. They're whores. They'll do anything for cash.

            • Re: (Score:3, Interesting)

              by ultranova ( 717540 )

              If you are looking at some run-of-the-mill picciotto (mafia soldier), or even a mafia boss, he will hardly know how to spell properly, let alone using a computer. Using Skype is already pretty advanced for their standards.

              Mafia is organized crime. The whole point of organization is division of labour. The very fact that you distinguish between the Mafia soldier and Mafia boss is evidence enough of that. Consequently, it doesn't matter whether Don Stoneage knows a computer or not, since he has IT staff to d

          • It's much worse than that. The knowledge for using an encrypted tool is much more portable than that used to fly a plane. Once one has learned which tools to use, the whole collective effectively has.

        • Bernardo Provenzano, head of the Sicilian Mafia, used a Caesar cipher using a bible as key

          Huh? The key to a Caesar cipher is an integer between 1 and 25. Where does the bible fit in?

        • Hey, geeks can be criminals. It must be true, I saw it on "Jake 2.0"

        • Do you mean a Vigenere cipher?
      • Re: (Score:2, Interesting)

        Not to mention that just about anything can be tunneled through SSH. And exactly what exists to stop terrorists or other criminals from simply creating their own protocols? Do they think that law-abiding citizens have some sort of monopoly on computer geeks? I think almost any decent network programmer with some sort of communications security background should be able to come up with an entirely new, secure protocol from scratch.

        Probably they should just outlaw the whole Internet and all forms of encrypt

      • Re: (Score:3, Insightful)

        by linhux ( 104645 )

        You mean the paper [blackhat.com] that explicitly concluded that "Skype was made by clever people" and "Good use of cryptography"?

        Yes, it has weaknesses, but unless you get your victim to run a trojanized Skype (at which point they'd be screwed either way), it still seems reasonably secure. Oh, and of course you trust Skype Inc anyway, if you're running their binary.

        That said, Skype is inherently scary, and I'd naturally advocate an open source, peer-reviewed system. I just get the feeling that many people misinterpreted

      • by jambox ( 1015589 )
        What sensible criminal would try to blow up a plane with a mixture of Tang and hair bleach, while carrying a USB stick with an unsecured .xls of potential bomb targets on it?

        http://news.bbc.co.uk/1/hi/uk/7894755.stm [bbc.co.uk]

        Sensible criminals like the Russian mafia and the Coumbian drug cartels have gotten western intelligence services beaten all ends up. Being able to spy on loonies who just might cause some serious damage is understandable enough, isn't it?
    • Re: (Score:3, Insightful)

      Yes yes, but obviously governments will rarely, if ever, welcome technology that increases the power of the citizen. They are there to *govern*. In other words, no government will much give a damn if a hostile country listens in on calls made into their territory if preventing that means any decrease in their own ability to conduct surveillance. They were fine with it before Skype, why would they care now?
      • "In other words, no government will much give a damn if a hostile country listens in on calls made into their territory if preventing that means any decrease in their own ability to conduct surveillance. "

        Thats not entirely true. They do care if hostile country listens in on calls, but they only care if they are going to loose out from it.

        There was a documentary on sky science a few days ago about hacking. What stood out for me was a comment by some government ex-director of security saying that at le
        • doh... "sky science" I should have said, "discovery science" ... need food, brain not working so good. :)
    • by MoellerPlesset2 ( 1419023 ) on Monday February 23, 2009 @07:56AM (#26956283)
      Who's 'big brother' here?
      The European governments who want to eavesdrop on suspected criminals after obtaining a court order, or the US and UK governments who are presently listening to everybody in Europe, and have been for quite some time, through ECHELON?
    • by tjstork ( 137384 )

      Or allowing law abiding citizens to speak with their relatives in hostile countries without worry of big brother listening.

      Well, they are hostile countries, you know.

      • Or allowing law abiding citizens to speak with their relatives in hostile countries without worry of big brother listening.

        Well, they are hostile countries, you know.

        I have a good friend in Lebanon who I keep in touch with on MSN and used to talk to on Skype (before his connection became too volatile). If the government really wants to listen in to us discussing (Well, at the time) World of Warcraft strategies and how the raid the night before went they can be my guest, but if I am discussing family matters with relatives who travel regularly, it's nobody's business.

    • by mzs ( 595629 )

      My family got political asylum in the United States because of what my father was involved in. Every letter sent to and from was opened and read. It was kind of cute in fact because they did nothing to hide the fact. Every envelope was slit along the top and then there was a piece of paper inserted with a note to the effect of, "due to an ongoing investigation..." We knew the government was about to collapse when the investigators began to steal the money we included. In the beginning they were incredibly p

  • Too many loopholes (Score:5, Insightful)

    by mangu ( 126918 ) on Monday February 23, 2009 @07:47AM (#26956219)

    Suppose they have a way to intercept Skype calls and decrypt everything. How will they know a conversation like "Aunt Emma's cat had seven kittens, three black and four white" actually means "I'm sending seven kilos of heroin, Giuseppe will take three and Giovanni four"?

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      That's an issue which applies to any form of intercepted communication not just skype

      • by mangu ( 126918 ) on Monday February 23, 2009 @08:05AM (#26956337)

        That's an issue which applies to any form of intercepted communication not just skype

        Precisely. Intercepting communications is pointless if the target has reason to suspect they are being watched. That's why the US and Britain went to great efforts to disguise the fact that they had broken the German and Japanese encryption systems during WWII.

        For instance, when American fighters shot down admiral Yamamoto's plane the US didn't report the fact. They wanted the Japanese to believe that was just a chance encounter, not an action planned from a flight schedule they had known from decrypted Japanese communications.

        • by horza ( 87255 )

          Intercepting communications is pointless if the target has reason to suspect they are being watched.

          It isn't pointless, it makes things much harder which isn't the same thing. First of all it will require much more patience, for either a slip or desperation to get a message through. On the plus side it will hinder the activities of those being watched. Even if they use some verbal code patterns will emerge, otherwise they need to refresh the key out of band which is inconvenient and carries its own risks. P

    • Furthermore, how will they prevent people from using third-party add-ons to encrypt their comms themselves? If you can't make your own skype client then you need to encrypt the audio before skype catches it, and decrypt it after skype plays it out. Shouldn't be impossible. But that's not the point, is it? Blanket surveillance measures will never catch determined adversaries, they are useful only against the population at large. This is the every-citizen-is-a-potential-criminal mindset at work yet again.
    • by Chrisq ( 894406 ) on Monday February 23, 2009 @08:08AM (#26956357)

      Suppose they have a way to intercept Skype calls and decrypt everything. How will they know a conversation like "Aunt Emma's cat had seven kittens, three black and four white" actually means "I'm sending seven kilos of heroin, Giuseppe will take three and Giovanni four"?

      because you've just told us - and you are now on the "listen" list

    • by Dunbal ( 464142 )

      How will they know a conversation like... actually means

      And they will NEVER know that an email sent from 4321cba@gmail.com to 91023ofg@hotmail.com containing an attachment which was just a JPEG photograph of people on a ski slope, with three people on the left of the picture and four people on the right - means EXACTLY the same thing.

      This is still the same "make believe security" bullshit that governments are so good at to cause the paranoid masses to support them, while wasting money and not actually doing

    • The first one is a drug deal, and the second one is two teenagers player some online computer game.

      Right?

    • by JasterBobaMereel ( 1102861 ) on Monday February 23, 2009 @09:05AM (#26956797)

      Arbitary codes like this and One time pads have been proven (when done correctly) to be absolutely secure, whereas all encryption in theory is insecure (the only exception is quantum encryption)

      Skype is a well known protocol, with a know encryption system, and is not secure ....

    • by Asic Eng ( 193332 ) on Monday February 23, 2009 @09:37AM (#26957141)
      As much as I'm a privacy advocate ... Fact is most criminals are not particularly clever - often they make mind-numbimgly stupid mistakes. One of the tasks which the police has to solve, is to process the stupid criminals quickly, so that they have resources left for the more intelligent ones. Besides, in theory you can avoid any one mistake, but in practice it's impossible to avoid all of them.

      So suppose the police intercept the conversation example you used. What does it tell them? Well - first they are going to find out that neither of the people involved actually has an aunt emma, or indeed any aunt who owns cats. Alternatively they might be aware that the people involved don't exchange a lot of private information, hence are not close enough to care about the cat of some relative. So they know it's a code and from that they know that something is going to happen. The recipient is a suspected drug dealer, the sender a suspected supplier, so they guess that it's about a drug deal. Possible action: keep a close watch on the recipient of the message - he may receive the drugs soon, or he may establish contact with the persons receiving the drugs.

      Even if they can't guess the first thing about the content of the message - intercepting it can still yield information. E.g. it could tell them that the recipient is online now - using the IP address they could identify his location - or they could obtain a voice sample which could be used for identification. They could use the time someone calls to identify their daily routine - if suddenly a call is made at an unusual time (e.g. 2 am for someone who usually sleeps early) then they can guess that something interesting is going on.

      Taken to the extreme opposite - if intercepting communications between criminals would never yield results, then wire tapping in all forms would have to be stopped. We could determine whether that's the case by analyzing criminal cases - is wire tapping evidence never introduced, is wire-tapping information never used to guide investigations? If that's not the case, then we shouldn't expect a zero return for skype-interception either.

  • by dyfet ( 154716 ) on Monday February 23, 2009 @07:50AM (#26956245) Homepage

    One does not need to rely on proprietary or otherwise closed source solutions and protocols which may have or can in the future carry backdoors to achieve communication privacy. For the past three years, one could simply apt-get install twinkle with ZRTP support from any Debian repository, which has an open and proven model for peer-to-peer media security and a reference implementation of the ZRTP stack that is part of the GNU Project. More recently, there is SIP Communicator, purely Java based and truly multi-platform, which uses the newer ZRTP4J stack. Existing non-B2BUA based SIP servers like opensips or GNU sipwitch can be used to organize and coordinate scalable secure calling networks. All the tools are there to do verifiable communication privacy in freedom today.

    • by Kjella ( 173770 )

      which uses the newer ZRTP4J stack. Existing non-B2BUA based SIP servers

      I'm usually quite nerdy, but your post even gives me acronym overload. At any rate, I guess some of the point you miss would be hiding in a bigger network? Perfect security is fine, but not if you can just assume that everyone participating is involved in some nasty business.

      • This is a point that is very clear and not missed. The goal is not to put all the Chinese dissidents together on the same sipwitch server so they can all be easily found :). In fact, the goal is for sipwitch itself to eventually exchange sip users (callable uri's) peer-to-peer in a gnutella-like fashion, so that one can locate the person you want to call by querying a large public network cloud where ALL secure users can participate and are mixed together whoever they are or whatever they are doing, and N

    • Re: (Score:3, Funny)

      by Yetihehe ( 971185 )
      It's surprising that TMA* filter allowed you to submit your post ;)


      *Too Much Acronyms.
  • If the defacto standard was opensource, with provably well implemented encryption, then I wouldn't be safe from the criminal hordes.

    • Did we? I'm fairly sure we standardized on SIP, with SRTP support for those requiring encryption. Go into any modern office and the phones will be using SIP, not Skype. The fact that anyone can implement SIP devices means there is a lot more competition in the market, and a lot of cheap devices and software clients.
    • by jimicus ( 737525 ) on Monday February 23, 2009 @08:29AM (#26956501)

      If the defacto standard was opensource, with provably well implemented encryption, then I wouldn't be safe from the criminal hordes.

      It could have been. If an opensource project created a product which worked as well as skype I'm sure it could easily have been as popular.

      The problem with a plain SIP client is you suddenly find you need a SIP account with a provider - there aren't many truly international SIP providers and they don't all have agreements to allow SIP calls to be carried for free, which adds a lot of complication. And every layer of complication you add to a product will put a lot of people off.

  • Only Skype? (Score:4, Insightful)

    by tedrlord ( 95173 ) on Monday February 23, 2009 @07:59AM (#26956299)

    Somebody better tell them about all the other evil loopholes that criminals can use to talk over the internet. They'd better also be able to wiretap Yahoo and Windows Messenger voice, oh, and X-Box chat, and we're going to have to change the RTP protocol to send them a copy of all communications, of course. I'm guessing we'll have to hack all ssh clients to unencrypt VoIP traffic if somebody tries to tunnel it, too.

    Or, you know, just get on Skype's case because authorities apparently have no idea what they're doing and seem to believe that Skype is the only way to talk over the internet. I'm sure the criminals appreciate the heads up so they can make sure to use more secure methods.

  • All this crap we heard about Bush, and as we speak the UK is threatening to sink because of the weight of all its cameras, and now the EU wants to spy on everyone.

    • Re: (Score:3, Informative)

      All this crap we heard about Bush, and as we speak the UK is threatening to sink because of the weight of all its cameras, and now the EU wants to spy on everyone.

      The EU wants the existing wiretap legislation, the one that requires showing cause in court and getting a warrant, to be expanded to also include forms of IP-telephony. The Bush administration wiretapped everyone they felt like, without even bothering to show any cause or get a warrant from that rubber-stamp of a court that is FISA.

      Seems pre

      • The other thing about CCTV in the UK is that it is mostly privately owned. The state does not control the majority of UK CCTV. And they can't demand it without good reason.

      • How so many people can argue that the 4th amendment implies a right to privacy in everything, argue that Commerce clause gives the government the right to regulate CO2, but, that little phrase "the right to keep and bear arms shall not be infringed", somehow does not imply an individual right to keep and bear arms. My point is that everyone twists around the Constitution to mean what they want these days, and if you wanted to make a case for a civil right, you should do so not because it says that it is th

    • All what cameras? [channel4.com] And anyway, it's only the southern half of the UK that's sinking into the sea, Scotland is very slowly rising [conservancy.co.uk].

  • by TheGratefulNet ( 143330 ) on Monday February 23, 2009 @08:12AM (#26956373)

    I do worry about my (and everyone's) government.

    the governments are ruining our lives, NOT the terrorists OR the criminals!

    what an upside down world we live in. I truly don't fear criminals. I truly do fear my own government.

    what is a criminal going to do with info he taps from my line? otoh, we can clearly imagine the kind of damage that happens when the governments listen in.

    I wonder if we can ever fix this broken world of ours, where we have more to fear from the so-called good guys than the bad guys.

    • Re: (Score:3, Insightful)

      Yup.
      Since when do people who use undocumented features became criminals?
      And what right do the governments have in labeling such people criminals?
      Have they been proven guilty in a court of law?
      If not, then it means if the government indulges in unauthorised snooping it is OK by law?
      Why can't be governments be held under the same law that they pass for citizens?
      For instance in US, it is a criminal offense to eavesdrop on a telephone line without a court order.
      If i do it, i have committed a criminal offense.
      Bu

    • by LVSlushdat ( 854194 ) on Monday February 23, 2009 @09:13AM (#26956881)

      Everybody pissed and moaned about how bad Bush was.. Just you wait till we've had Comrade Obama and his ilk in Congress for a couple of years.. You aint seen NOTHING yet!! Before one of the many SlashLibs shouts me down as being a Republican, I'll admit that I *was*, for 98% of my life (I'm 58), but in the last couple of years, I've gotten absolutely fed up with the Republican party and am now an Independent.. Which means I'm disenfranchised.. Nobody to vote for.. In any event, I strongly suspect by the time I'm 65 in 2015, this country will finished, only the cleanup of what it once was left to complete.. Of course, perhaps John Titor actually WAS from the future, and the civil war he reports that happened in 2012 really happened, after all he did say we'd start seeing signs of it in 2008-2009... I *used* to have to put on a tight-fitting tinfoil hat when I read the accounts of John, but not so much anymore...

    • as in, full of hysteria

      your government, as a citizen of a western democracy, is an extension of your will

      it is not some alien entity come to suck you of your freedom just for the fun of it

      i now await my lecture about how western governments are driven by the media, or the rich, or corporations

      blah blah blah

      such rationalizations are called learned helplessness, in which you indoctrinate yourself into your own slavehood

      your government is clearly an extension of the popular will. if you don't believe that, you

  • by AHuxley ( 892839 ) on Monday February 23, 2009 @08:19AM (#26956415) Journal
    If they want you, they will get you.
    Via hardware or software a gov can intercept with your calls.

    Any info seems more about extending national or wider legal powers.
    ie. Skype has been open to law enforcement, they just want to use it in court.
    http://wikileaks.org/wiki/Skype_and_the_Bavarian_trojan_in_the_middle [wikileaks.org]
  • Comment removed (Score:3, Insightful)

    by account_deleted ( 4530225 ) on Monday February 23, 2009 @08:50AM (#26956645)
    Comment removed based on user account deletion
    • This sort of thing is very easy to use these days.

      Take, for example, Mixmaster. Great way to send truly anonymous email to somebody. Of course, they are unable to reply unless they know your email address (which Mixmaster hides), so layer Mixmaster with a nym server. Then you can send email, the person that receives the email can reply to it, and all of the traffic is encrypted and sent through the Mixmaster network.

      If you want to take it a step further, use Mixmaster with nym server accounts which forwa

    • A semi-smart criminal will be using e.g. /. to post messages

      Of course! That's it! And here I thought all these weird, incomprehensible AC posts were coming from pimple-faced teenagers with half an education and no life outside of sitting in the dark keying stream-of-consciousness babble into Slashdot. Now it all makes sense! It's a code of some kind.

      I wonder what "intertubes" is code for.

  • They can get more cooperation from skype, to be sure, and when they do criminals will switch to private and distributed encrypted channels. These will be outlawed, and they'll have to use steganography to hide.

    Meanwhile physical surveillance will be improved to the point where the unencrypted channel from the mouth to the handset and from the handset to the ear will be the easy target... but the legal residue of the effort to outlaw crypto will leave us in a situation where only the outlaws are safe using i

  • Suspicious phone conversations on Skype could be targeted for tapping
    Am I missing something here? How can you know a phone call is "suspicious" if you're not tapping it already? The mind boggles...
    • by wiredog ( 43288 )

      Well, if you know the call is coming from a known Mafioso, to someone he's never talked to before, then it's probably suspicious.

  • As long as they do it under Judicial oversight (e.g. with a court warrant) I don't see what's the problem - just because it goes "over the tubes" and might use computers in one or both sides doesn't mean it's "special", more than just a phone call and entitled to extra protection from the police.

    I'm a lot more concerned with large scale wiretapping without court orders than I am about court authorized wiretapping of calls that go over "the tubes".

  • I should think any sort of video calling makes monitoring much much more difficult. With voice calls, you can fairly easily hook up some text-to-speech and mine some medium-term recordings for potentially nasty combinations of words. True that'd only catch the careless but I believe it is done.

    With video calling you can't do that. If two terrorists were using Skype they could pass messages by writing messages on cards and holding them up to the camera - there'd be no way of transcribing or flagging that
  • by OneSmartFellow ( 716217 ) on Monday February 23, 2009 @09:39AM (#26957171)
    ...I just wish they had better advisors. There's simply no way to prevent a determined group from communicating in secret. Certainly this proposed legislation isn't going to help one bit. Perhaps they'll catch the dumbest of the groups, but then, they're probably the least dangerous anyway.I'm not suggesting they give up, but perhaps a radical change in tactics is in order.
    • It's not about catching anyone. It's about "doing something", so they can't be criticized for "doing nothing".

      • All in favour of their new strategy of luring hardened criminals to the local golf course for a few rounds ? Oh perhaps a ski weekend in Morzine ? That would be "doing something" too, but I think they'd have a bit more opposition to those plans (even if they might be more effective)
  • My guess is that most national security agencies have already broken Skype. Those national spy agencies probably have not shared that information with their local police. In fact, the spy agencies probably love it when the local police go around complaining that they can't tap Skype calls because it lulls the people they want to listen to into a false sense of security that Skype is safe. This story will probably go on for a long time. The spy agencies are going to make sure that no law gets passed that
  • Generic Laws (Score:3, Insightful)

    by squoozer ( 730327 ) on Monday February 23, 2009 @09:59AM (#26957405)

    I've often wondered why we can't have generic laws. Laws that cover a type of action rather than a very particular case of a type of action. For example we have enacted wire tapping laws so that we can listen to phone conversations why didn't we enact an eavesdropping law instead so that the required authorities could apply for permission to listen into the communications of an individual regardless of how those communications where taking place. As far as I can see this doesn't erode privacy any more than it has already been eroded and it means that we don't need all the half brained politicians making up reams and reams of new legislation (which invariably is an excuse for mission creep).

  • by Jessta ( 666101 )

    lol, police still think they can spy on the conversations of criminals?
    They'll only get the stupid ones, which aren't the ones that you need a wiretap to find.
     

  • Your anonymous prank calls won't be so anonymous anymore...

  • icmp chat ( http://www.codito.de/ [codito.de] , http://www.codito.de/prog/icmpchat-0.7.tar.gz [codito.de] ) support encryption and pads data to appear like completely normal ICMP traffic. It also supports all ICMP types, not just echo request/reply, so getting creative is trivial.

    Of course, port forwarding/proxy'ing anything/everything through ssh or openvpn is also trivial. Good luck eavesdropping on that.

    If anyone is caught doing anything "bad" with Skype, they're just ignorant, lazy, or both.

  • by Phil Karn ( 14620 ) <karn&ka9q,net> on Monday February 23, 2009 @12:45PM (#26959327) Homepage
    So this asks the obvious question: is Skype still secure?

    Obviously it can be broken by planting malware in the target's computer, but what are the other ways? Last we heard, independent reviews of the crypto protocols said they were pretty good.

    But I am quite sure there are exploitable weaknesses in the login server and protocol. Skype operates that server, so we can assume that it either is or soon will be compromised.

    Consider the following simple observations. I can install Skype on another computer, sign in with my existing user name and password, and talk to any of my existing contacts without any of them noticing anything unusual. I transferred nothing from my old installation, so my new installation cannot have any of its existing secrets. It knows only one long term secret: my account password, and I use that only to authenticate myself to the Skype login server.

    Furthermore, unlike most IM programs, I can sign in from multiple computers and switch between them during chat sessions. All will get copies of all that is said.

    This seems to demonstrate quite clearly that with the cooperation of the operator of the Skype login server, you can impersonate any Skype user and conduct either a man-in-the-middle attack or a conferencing attack.

    The weakness here is that you're relying on the login server to authenticate your correspondents instead of doing it yourself on an end-to-end basis. Without authentication, encryption is meaningless.

    You could probably add packet-level authentication mechanisms to Skype traffic to protect against this attack, but if you're going that far you might as well use something completely different that you can fully trust.

Whatever is not nailed down is mine. Whatever I can pry up is not nailed down. -- Collis P. Huntingdon, railroad tycoon

Working...