More Skype Back Door Speculation 210
An anonymous reader writes "According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations."
Re:Open source VoIP alternatives? (Score:2, Informative)
Re:Open source VoIP alternatives? (Score:5, Informative)
I don't use Skype (or VoIP for that matter) but I would be curious if anyone knows of any alternatives that is completely open.
I asked the internet, she donned her Stupomitron Helmet, et voilà [wikipedia.org]
yes (Score:5, Informative)
Re:Open source VoIP alternatives? (Score:4, Informative)
Re:Decode the protocol? (Score:5, Informative)
Re:Disassembly anyone? (Score:5, Informative)
If it was easy, someone would have done it by now, and made Gnype, don't you think?
Re:Open source VoIP alternatives? (Score:3, Informative)
I don't use Skype (or VoIP for that matter) but I would be curious if anyone knows of any alternatives that is completely open.
For Linux there's a decent program called I Hear You (IHU), very simple program, GPL-licensed etc., you can find it at http://ihu.sourceforge.net/ [sourceforge.net]
Re:Open source VoIP alternatives? (Score:3, Informative)
VoIP/SIP is open.
You only need a client [voip-info.org] and an account with any of the free SIP providers. Or you setup asterisk (or another free PBX software) and become your own provider.
The problem with SIP is that few people actually use it whereas skype is everywhere.
Re:Open source VoIP alternatives? (Score:5, Informative)
An alternative to what? To Skype? To the PSTN? Software running on a PC is always going to be a poor solution, and is far from your only option for Internet voice communication. You do NOT need some app on your PC to do VoIP. What you want is something called an ATA - its a little box that has a jack for a regular phone, and an ethernet port. They are often supplied with service such as Vonage, but are usually 'locked' down to that provider. You can also but them directly, but you will of course still need 'something else' to initiate SIP connections to. For information about real VoIP networks (both net-to-net, as well as PSTN interconnection), visit voip-info.org
Re:Open source VoIP alternatives? (Score:5, Informative)
"Unlike its competitor network Skype, the Gizmo5 network uses open standards for call management, the Session Initiation Protocol and Jabber."
Re:Open source VoIP alternatives? (Score:1, Informative)
The Gizmo5 client is proprietary, but it uses open, standard, protocols (including encryption by SRTP).
Of course if you want to go open source there are a lot of SIP clients available (on Windows and Linux anyway, less so on OS X). Twinkle ( http://www.twinklephone.com ) looks pretty good, i just wish is was cross-platform.
Re:Open source VoIP alternatives? (Score:5, Informative)
using an open standard is not the same thing as being "open source" or "completely open"
Re:Open source VoIP alternatives? (Score:5, Informative)
Several orders of magnitude more daily minutes are done with SIP than Skype. SIP is used for corporate networks and calling card providers and lots of other situations.
Re:Open source VoIP alternatives? (Score:1, Informative)
freeswitch.org does SRTP/TLS so even with voip you can have it encrypted. It can also do passthrough which would let things like phil zimmermans ZRTP do its magic.
In addition I am working on a pstn encryption system primarily designed for mobile phones, but I plan on writing a freeswitch module to make it work for pstn links as well.
If you ever use a server you do not control you run the risk that those who do control it will get a warrant and not inform you of such (often warrants come with gag orders attached, even subpoenas do). If you control it you will be able to (usually) detect downtime and installation of weird software you dont recognize (or you are unqualified to run the system :)
Re:Open source VoIP alternatives? (Score:3, Informative)
VOIP is peer-to-peer. A server is only used for matchmaking, and bandwidth is minimal.
Besides, OSS != guy in basement. Mozilla, Canonical and Red Hat somehow manage to pay for a few servers and a bit of bandwidth.
Re:Open source VoIP alternatives? (Score:5, Informative)
And the network effect no longer applies if Ekiga users can call Skype users (And they can [tmcnet.com]).
Re:No possible way to disprove the claim (Score:2, Informative)
So if there is a backdoor, there site is lying, and i can smell a classaction.
SIP Skype (Score:3, Informative)
Asterisk+SIP+Ekiga is not a good replacement for Skype:
Add to this that Skype has existed for a large number of years (5 years is "long" in "internet time") and it's not exactly known as a big medium for spreading viruses, hack attacks, etc. and you'll realize that security through obscurity actually can work. Of course, past trends are not indication of future behaviour, but you can't argue with results.
Re:Open source VoIP alternatives? (Score:2, Informative)
Zfone?
Encrypted calls > Ekiga.
Sorry, I love Ekiga myself, especially since it has video, but I don't want to be eavesdropped on. Which is why until Ekiga incorporates Zfone's SDK, it's Zfone all the way. The software is "open source", like PGP is "open source", but the libs and the SDK are GPL. For the program, they won't accept your contributions, and I'm not too sure if they will for the libs, either; I guess it's mostly to keep it untampered, but they should be accepting contributions for the libs and SDK...
Their encryption is pretty cool. Even the "basic" encryption works great; and the "extra" stuff is mostly just reading out a passphrase.
Re:Open source VoIP alternatives? (Score:5, Informative)
Because something like this will be audited if at all possible. Skype is closed, the binary is encrypted, it auto-exits in the presence of debuggers, and does various other things to prevent reverse-engineering. And, still, someone at BlackHat took it apart and found a remote vulnerability. If it were open source and popular, a lot more people would be poking it for holes.
More important than open source, here, is open standards. In an open standard, lots of cryptographers will look at the protocol for holes without considering the implementation details, and lots of others will look for holes in specific implementations. Implementation-related holes (such as the heap-overflow exploit in Skype) will not affect as many people, because there will be competing implementations and not everyone will be locked in to a single provider. If the hole is in the protocol (and allowing a midpoint to intercept the conversation is a hole in the protocol) then it is more likely to be found if the protocol is subject to peer review, which things like SRTP (which SIP can run on top of) have been.
Re:Open source VoIP alternatives? (Score:3, Informative)
Re:Open source VoIP alternatives? (Score:4, Informative)
FreeSWITCH (www.freeswitch.org) is completely open, is MPL licensed and supports TLS & SRTP. Make sure you get the right phone with the right firmware because not all phones properly support TLS & SRTP. Ask in the #freeswitch irc channel on freenode.net or the FreeSWITCH mailing list which phones are known to work.
Asterisk has support for TLS in their development tree. Afaik their SRTP support is an untested patch in the bugtracker. At this point in time Asterisk does not seem to offer a working, stable TLS & SRTP solution.
Re:What keeps me with Skype (Score:4, Informative)
A quick search revealed a bunch of companies. Here are some:
http://sipnumber.com/ [sipnumber.com]
http://www.ipkall.com/ [ipkall.com]
http://www.freedigits.com/ [freedigits.com]
Those are free services. The last one seems to have problems, though. :)
Paid services exist, too. Just google it
Re:Skypes Own Comment (Score:2, Informative)
Re:Open source VoIP alternatives? (Score:3, Informative)
If I remember correctly there is at least two solutions to that.
ZRTP are one.
http://swik.net/encryption+sip [swik.net]
http://en.wikipedia.org/wiki/ZRTP [wikipedia.org]
Try OpenWengo (Score:3, Informative)