Microsoft Won't Say If Skype Is Secure Or Not. Time To Change? 237
jetcityorange writes "When asked repeatedly a Microsoft spokesperson refused to confirm or deny that Skype conversations [could be monitored]. Microsoft was granted a patent a month after purchasing Skype that covers 'legal intercept' technology designed to be used with VOIP services. Is it time to consider more secure alternatives like Jitsi like Tor's Jacob Appelbaum suggests?"
Seriously? (Score:5, Insightful)
The more shocking idea is the assumption that any major VOIP service based in a major country does not allow intercepting on their services.
seriously? (Score:5, Insightful)
If you are serious about privacy Skype was never even an option! ;)
If there is a third party... (Score:5, Insightful)
Re:Seriously? (Score:3, Insightful)
Yeah, another non-story.
And no, we will not switch to your unheard-of, no-name, pet-fav, video conferencing software. Definitely not because some guy from the tor project said we should.
Our families all use Skype and it works fine.
Re:VOIP (Score:5, Insightful)
Is Jitsi more secure? (Score:5, Insightful)
I just tried Jitsi while /. was in maintenance mode. It does not work on this very standard Win7 box. Incoming audio is missing; logs are missing. Uninstalled already - not usable. Bria works fine. My VoIP server (3CX) is on the local subnet.
But even beyond that, Jitsi is not a solution; it's a component. The only way to make it into a solution is by selling your soul for cheap to the likes of Google and Facebook. That would be counter-intuitive for a product that sells itself as a secure thing.
The only reasonably secure way is to run Jitsi on your own SIP server. However that is not an exercise for everyone. A geek can deploy a SIP server, but a common man cannot even understand what we are talking about here.
I'd say that 3CX people already have a solution. First, they have a TCP tunnel that you can use to go through firewalls and specifically NAT. Then they support encryption [3cx.com]. And finally, their stuff works. (This is important, despite what some geeks say.) They also have a client for Android (besides the usual suspects.)
However in terms of simplicity Skype leads the pack.
Like any of my conversations . . . (Score:5, Insightful)
. . . with my Family are of interest to any government. Come on, Skype is for keeping in touch with the old folks at home. For anything serious you would use something more peer to peer without any 3rd party involved. And even then . . .
Re:VOIP (Score:4, Insightful)
But of course, we _are_ talking about Microsoft in this case
Which comes with benefits too. Microsoft being a big, publicly traded company with offices in all major countries has to follow consumer protection and privacy laws too, and they can be in for a world of hurt if they don't. Using some 'inherently private' setup runs the risk that somewhere along the line that system both has a bug in it, and that bug is being actively exploited against you - and you have no recourse against the company running it (or the peers).
Re:VOIP (Score:5, Insightful)
And if we're to the wrench hitting level, breaking into your house and installing a mic bug in your keyboard works a treat for tapping your VOIP conversations.
Min
Re:Seriously? (Score:5, Insightful)
Re:VOIP (Score:5, Insightful)
That's a rather defeatist attitude.
Sure, the government could fake an anal probing and install their monitoring infrastructure in my nether cavities, but is it worth all that trouble?
It's not about if you can be tapped, but how much resources were used to do the tapping. ZRTP (endpoint-to-endpoint encryption) mentioned in their alternative Jitsi, would substantially raise the bar for casual automated interception.
That's the idea really. Make it to where everything they intercept is heavily encrypted with well used, well scrutinized encryption methods. If they want to bypass that encryption it will require having direct control over your device, to have direct influence on the platforms and software, or well known backdoors in software. That substantially raises the bar on multiple fronts since it will require specially crafted malware, special legislation (boy will that be unpopular), and maintained secrecy (conspiracy theorists say that have it already) with cooperating companies. As for the secrecy, we are discussing patented technology to help the government automate eavesdropping right? Not like it is a big secret....
The article has the answer already. It is time to move on. Find a newer platform that will not allow eavesdroppers and act only as a middleman to setup heavily encrypted communications. There are plenty of SAAS providers that only store encrypted data so they can turn over that data on demand to law enforcement and not have the keys.
What may help the most, is what is lagging ass... IPv6. I can see a future with DNS records and open source P2P services that will allow us to directly control who can initiate communications with us. Once you get around not requiring a middleman to punch through NAT for VOIP services it becomes substantially easier to perform call setup and tear down.
Interception has likely be present for a long time (Score:4, Insightful)
If you are getting concerned _now_, then you have been asleep at the wheel.
Re:VOIP (Score:5, Insightful)
"Anything transmitted online - whether it be VOIP or cleartext or whatever - can be tapped"
I would dispute this. Or do you mean "They could tap it given several centuries and all the computing power on the earth" ?
Some of encryption is that good, and no I don't believe that the secret, shadowy, magical NSA have backdoors in every encryption library on the planet.
stands to reason (Score:2, Insightful)
When I heard Microsoft had purchased Skype, my first thought was "Skype is dead". It only remained to find out in what way it met it's demise.
Re:Why not pre encrypt. (Score:2, Insightful)
Because it is a voice service, not a data service. The system compresses the "sound" going across the line, and sometimes even drops bits to keep the latency bearable. You could use some sort of analog device which can survive through such things, but then we are right back in the early 1980's.
Sometimes the best move forward is a brief step backward.
Re:VOIP (Score:5, Insightful)
That's funny.
What 'world of hurt' would Microsoft be in for?
Don't you remember what the US gov't did to help out their friends at AT&T and the rest of the 'conventional' phone industry when they happened to get caught assisting the gov't in mass recording of phone calls?
Is there any gov't that is not interested in even occasionally listening in some Skype calls? No. Any countries passed a law preventing wiretapping VOIP calls? No. So having a back-door into every call is legal around the world.
All that's left to argue about is how that back-door is used. And surely you can trust Microsoft to do what's right.
And I'm sure they've only occasionally wiretapped calls where neither user is within the borders of the requesting country.
Re:Seriously? (Score:4, Insightful)
For personal, of interest to no one, type communication your point is valid but if I am communicating with regard to trade secrets it is very important to me to know that my communication is secure. Skype used to be secure and therefore this is an issue.
Skype is insecure. (Score:5, Insightful)
"When asked repeatedly a Microsoft spokesperson refused to confirm or deny that Skype conversations [could be monitored]
Then it's not. When you have to guess, in this case, whether skype is secure, assume the worst. Absence of proof of security is proof of no security.
--
BMO
Re:VOIP (Score:5, Insightful)
I like how you phrased that. that the govs *give themselves* the right to wiretap. this was NEVER a right transferred from the people to their rulers.
"but we can catch bad guys!"
yeah, and you can catch good guys, too. is this balance worth it? when we all lose our sacred (imho) right to private comms with each other, as we choose? when we have to wonder 'is someone going to use this out-of-context such and such against me if they tap into my comms?'
chilling effect. its here and its disturbing.
but the govs gave themselves this right. they STOLE this right without due process.
no one seems angry about it as its all explained as 'well, if we catch bad guys, how can you be against this?'
we once used to think that it was more just to let a few bad guys go than to have even one innocent guy be punished. but we have broken this idea with our privacy. we think that trading privacy for security is a 'win'.
we didn't always think this way, though.
every time I hear 'lawful intercept', I throw up a little. it makes me sick what we do to our dignity and personal rights. its NOT a fair trade! and we were NOT asked!!
Re:Skype is insecure. (Score:2, Insightful)
Can you confirm for me your heterosexuality? If you cannot prove then I shall have to assume the worst.
Way to go asshole, here you've implied that being homosexual is a bad thing.